After executing the reverse shell command through SSH, I set up a netcat listener on port 443 and was able to successfully receive a reverse shell.
I later found out that the reverse shell was not necessary as a shell could have been spawn by just issuing the command “/bin/sh” while trying to SSH in.
After looking for sudo permissions, SUID binaries, cronjobs, etc I couldn’t find anything standing out right away. I uploaded LinEnum.sh to the target machine and it was able to tell me that I could connect to MySQL using the default credentials root/root. This is something I should have definitely test out before using LinEnum.
At this point my problem was to spawn a TTY shell to better interact with MySQL but I couldn’t find a way to upgrade to a TTY shell. The other option was now to execute the queries from a single command for example, to list the databases I’ll use the following command:
mysql -u root -p -e "show databases"
Now that I know the entries for the databases I’ll now issue a command to use the most obvious database “SkyTech” and list its contents, this is the command I’ll use:
mysql -u root -p -e "use SkyTech; show tables"
There was only on table and looking at the contents of the table will show some passwords for the other user accounts on the machine.
mysql -u root -p -e "use SkyTech; select * from login"
With those credentials I’ll try first to SSH in as the sara user. Just like the user john the sessions dies immediately, so I’ll issue the command “/bin/sh” to get a shell.
As I always do first when having a shell, I checked for sudo permissions using the “sudo -l” command and sara did have some sudo permissions when using cat and ls.
It seems like I would be able to cat and list files from the /accounts folder which is actually empty and not really be able to execute anything with it, the commands are also using full paths so that’s also out of the question. The insecure part of these sudo permissions is that it has the ” * ” symbol at the end which means that anything from there can be used, so I’ll simply try to do path traversal and see if I can see the contents of the shadow file, this is the command I will use:
sudo /bin/cat /accounts/../../etc/shadow
I was able to successfully get the contents of the file so I tried to crack the password using john the ripper but it was taking too much time and it just didn’t seem like the right way to do it. Since I can do path traversal and I can also use the ls command as sudo, I’ll check for the contents inside the root directory with the following command:
sudo /bin/ls /accounts/../../root/
There was only the flag.txt file inside the directory and looking at the contents of the file reveals the password for the root account.
I was then able to SSH as the root user with the password found.