// notes/ PrivEsc — Linux
🐧

Sudo Simple Ctf

Notes from oscp.adot8.com — linux privilege escalation.

#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/sudo_simple-ctf

Simple CTF

code
01 ___
02 ( _ ) _ __ ___ __ _ _ __
03 / _ \| '_ ` _ \ / _` | '_ \
04| (_) | | | | | | (_| | |_) |
05 \___/|_| |_| |_|\__,_| .__/
06 |_|
07
08[+] Scanning 10.10.25.17 [65535 ports]
09
10
11[+] Enumerating 10.10.25.17 [21,80,2222]
12
13Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-30 10:25 CDT
14Nmap scan report for 10.10.25.17
15Host is up (0.13s latency).
16
17PORT STATE SERVICE VERSION
1821/tcp open ftp vsftpd 3.0.3
19| ftp-anon: Anonymous FTP login allowed (FTP code 230)
20|_Can't get directory listing: TIMEOUT
21| ftp-syst:
22| STAT:
23| FTP server status:
24| Connected to ::ffff:10.9.209.91
25| Logged in as ftp
26| TYPE: ASCII
27| No session bandwidth limit
28| Session timeout in seconds is 300
29| Control connection is plain text
30| Data connections will be plain text
31| At session startup, client count was 4
32| vsFTPd 3.0.3 - secure, fast, stable
33|_End of status
3480/tcp open http Apache httpd 2.4.18 ((Ubuntu))
35|_http-title: Apache2 Ubuntu Default Page: It works
36|_http-server-header: Apache/2.4.18 (Ubuntu)
37| http-robots.txt: 2 disallowed entries
38|_/ /openemr-5_0_1_3
392222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
40| ssh-hostkey:
41| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
42| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
43|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
44Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
45
46Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
47Nmap done: 1 IP address (1 host up) scanned in 38.29 seconds
48
49[+] Enumerating 10.10.25.17 for vulnerabilities [21,80,2222]
50
51Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-30 10:26 CDT
52Pre-scan script results:
53|_broadcast-avahi-dos: ERROR: Script execution failed (use -d to debug)
54Nmap scan report for 10.10.25.17
55Host is up (0.13s latency).
56
57PORT STATE SERVICE
5821/tcp open ftp
5980/tcp open http
60|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
61|_http-csrf: Couldn't find any CSRF vulnerabilities.
62|_http-dombased-xss: Couldn't find any DOM based XSS.
63| http-slowloris-check:
64| VULNERABLE:
65| Slowloris DOS attack
66| State: LIKELY VULNERABLE
67| IDs: CVE:CVE-2007-6750
68| Slowloris tries to keep many connections to the target web server open and hold
69| them open as long as possible. It accomplishes this by opening connections to
70| the target web server and sending a partial request. By doing so, it starves
71| the http server's resources causing Denial Of Service.
72|
73| Disclosure date: 2009-09-17
74| References:
75| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
76|_ http://ha.ckers.org/slowloris/
77| http-enum:
78|_ /robots.txt: Robots file
792222/tcp open EtherNetIP-1
80
81Nmap done: 1 IP address (1 host up) scanned in 319.78 seconds
82
83[+] Completed!
84
code
01
02 /'___\ /'___\ /'___\
03 /\ \__/ /\ \__/ __ __ /\ \__/
04 \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
05 \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
06 \ \_\ \ \_\ \ \____/ \ \_\
07 \/_/ \/_/ \/___/ \/_/
08
09 v2.1.0-dev
10________________________________________________
11
12 :: Method : GET
13 :: URL : http://10.10.25.17/FUZZ
14 :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
15 :: Follow redirects : false
16 :: Calibration : false
17 :: Timeout : 10
18 :: Threads : 40
19 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500
20________________________________________________
21
22# on atleast 2 different hosts [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 131ms]
23# This work is licensed under the Creative Commons [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 132ms]
24# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 133ms]
25# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 900ms]
26# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 1892ms]
27# directory-list-2.3-medium.txt [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 2895ms]
28 [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 2899ms]
29# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 3904ms]
30# Priority ordered case sensative list, where entries were found [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 3905ms]
31# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4913ms]
32# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4919ms]
33# Copyright 2007 James Fisher [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4919ms]
34# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4919ms]
35# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4921ms]
36simple [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 125ms]
37 [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 130ms]
code
01------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
02 Exploit Title | Path
03------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
04Bolt CMS < 3.6.2 - Cross-Site Scripting | php/webapps/46014.txt
05CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
06Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution | php/webapps/51060.txt
07Concrete CMS < 5.5.21 - Multiple Vulnerabilities | php/webapps/37225.pl
08Concrete5 CMS < 5.4.2.1 - Multiple Vulnerabilities | php/webapps/17925.txt
09Concrete5 CMS < 8.3.0 - Username / Comments Enumeration | php/webapps/44194.py
10DeDeCMS < 5.7-sp1 - Remote File Inclusion | php/webapps/37423.txt
11Drake CMS < 0.2.3 ALPHA rev.916 - Remote File Inclusion | php/webapps/2713.txt
12Kirby CMS < 2.5.7 - Cross-Site Scripting | php/webapps/43140.txt
13Monstra CMS < 3.0.4 - Cross-Site Scripting (1) | php/webapps/44855.py
14Monstra CMS < 3.0.4 - Cross-Site Scripting (2) | php/webapps/44646.txt
15Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection | cfm/webapps/43045.txt
16Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload | php/webapps/44891.txt
17zKup CMS 2.0 < 2.3 - Arbitrary File Upload | php/webapps/5220.php
18zKup CMS 2.0 < 2.3 - Remote Add Admin | php/webapps/5219.php
19------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
20Shellcodes: No Results
21
<figure><img src="/files/JnOji6aLV6BtWfZ2wJbe" alt=""><figcaption></figcaption></figure> <figure><img src="/files/5IczlgcL3RijC62WnIh9" alt=""><figcaption></figcaption></figure>

Bruh ._.

<figure><img src="/files/Lvhv76dzps6TAwMm2EiM" alt=""><figcaption></figcaption></figure> <figure><img src="/files/DRWD2X8b9dnTnCSTxcFn" alt=""><figcaption></figcaption></figure> <figure><img src="/files/Pagf8twkDYh1fbLkL3bn" alt=""><figcaption></figcaption></figure>