// notes/ PrivEsc — Linux
🐧
Sudo Simple Ctf
Notes from oscp.adot8.com — linux privilege escalation.
#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/sudo_simple-ctf ↗Simple CTF
code
01 ___ 02 ( _ ) _ __ ___ __ _ _ __ 03 / _ \| '_ ` _ \ / _` | '_ \ 04| (_) | | | | | | (_| | |_) |05 \___/|_| |_| |_|\__,_| .__/ 06 |_| 07 08[+] Scanning 10.10.25.17 [65535 ports]09 10 11[+] Enumerating 10.10.25.17 [21,80,2222]12 13Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-30 10:25 CDT14Nmap scan report for 10.10.25.1715Host is up (0.13s latency).16 17PORT STATE SERVICE VERSION1821/tcp open ftp vsftpd 3.0.319| ftp-anon: Anonymous FTP login allowed (FTP code 230)20|_Can't get directory listing: TIMEOUT21| ftp-syst: 22| STAT: 23| FTP server status:24| Connected to ::ffff:10.9.209.9125| Logged in as ftp26| TYPE: ASCII27| No session bandwidth limit28| Session timeout in seconds is 30029| Control connection is plain text30| Data connections will be plain text31| At session startup, client count was 432| vsFTPd 3.0.3 - secure, fast, stable33|_End of status3480/tcp open http Apache httpd 2.4.18 ((Ubuntu))35|_http-title: Apache2 Ubuntu Default Page: It works36|_http-server-header: Apache/2.4.18 (Ubuntu)37| http-robots.txt: 2 disallowed entries 38|_/ /openemr-5_0_1_3 392222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)40| ssh-hostkey: 41| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)42| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)43|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)44Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel45 46Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .47Nmap done: 1 IP address (1 host up) scanned in 38.29 seconds48 49[+] Enumerating 10.10.25.17 for vulnerabilities [21,80,2222]50 51Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-30 10:26 CDT52Pre-scan script results:53|_broadcast-avahi-dos: ERROR: Script execution failed (use -d to debug)54Nmap scan report for 10.10.25.1755Host is up (0.13s latency).56 57PORT STATE SERVICE5821/tcp open ftp5980/tcp open http60|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.61|_http-csrf: Couldn't find any CSRF vulnerabilities.62|_http-dombased-xss: Couldn't find any DOM based XSS.63| http-slowloris-check: 64| VULNERABLE:65| Slowloris DOS attack66| State: LIKELY VULNERABLE67| IDs: CVE:CVE-2007-675068| Slowloris tries to keep many connections to the target web server open and hold69| them open as long as possible. It accomplishes this by opening connections to70| the target web server and sending a partial request. By doing so, it starves71| the http server's resources causing Denial Of Service.72| 73| Disclosure date: 2009-09-1774| References:75| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-675076|_ http://ha.ckers.org/slowloris/77| http-enum: 78|_ /robots.txt: Robots file792222/tcp open EtherNetIP-180 81Nmap done: 1 IP address (1 host up) scanned in 319.78 seconds82 83[+] Completed!84 code
01 02 /'___\ /'___\ /'___\ 03 /\ \__/ /\ \__/ __ __ /\ \__/ 04 \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ 05 \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ 06 \ \_\ \ \_\ \ \____/ \ \_\ 07 \/_/ \/_/ \/___/ \/_/ 08 09 v2.1.0-dev10________________________________________________11 12 :: Method : GET13 :: URL : http://10.10.25.17/FUZZ14 :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt15 :: Follow redirects : false16 :: Calibration : false17 :: Timeout : 1018 :: Threads : 4019 :: Matcher : Response status: 200-299,301,302,307,401,403,405,50020________________________________________________21 22# on atleast 2 different hosts [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 131ms]23# This work is licensed under the Creative Commons [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 132ms]24# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 133ms]25# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 900ms]26# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 1892ms]27# directory-list-2.3-medium.txt [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 2895ms]28 [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 2899ms]29# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 3904ms]30# Priority ordered case sensative list, where entries were found [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 3905ms]31# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4913ms]32# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4919ms]33# Copyright 2007 James Fisher [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4919ms]34# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4919ms]35# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4921ms]36simple [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 125ms]37 [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 130ms]code
01------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------02 Exploit Title | Path03------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------04Bolt CMS < 3.6.2 - Cross-Site Scripting | php/webapps/46014.txt05CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py06Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution | php/webapps/51060.txt07Concrete CMS < 5.5.21 - Multiple Vulnerabilities | php/webapps/37225.pl08Concrete5 CMS < 5.4.2.1 - Multiple Vulnerabilities | php/webapps/17925.txt09Concrete5 CMS < 8.3.0 - Username / Comments Enumeration | php/webapps/44194.py10DeDeCMS < 5.7-sp1 - Remote File Inclusion | php/webapps/37423.txt11Drake CMS < 0.2.3 ALPHA rev.916 - Remote File Inclusion | php/webapps/2713.txt12Kirby CMS < 2.5.7 - Cross-Site Scripting | php/webapps/43140.txt13Monstra CMS < 3.0.4 - Cross-Site Scripting (1) | php/webapps/44855.py14Monstra CMS < 3.0.4 - Cross-Site Scripting (2) | php/webapps/44646.txt15Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection | cfm/webapps/43045.txt16Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload | php/webapps/44891.txt17zKup CMS 2.0 < 2.3 - Arbitrary File Upload | php/webapps/5220.php18zKup CMS 2.0 < 2.3 - Remote Add Admin | php/webapps/5219.php19------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------20Shellcodes: No Results21 Bruh ._.
<figure><img src="/files/Lvhv76dzps6TAwMm2EiM" alt=""><figcaption></figcaption></figure> <figure><img src="/files/DRWD2X8b9dnTnCSTxcFn" alt=""><figcaption></figcaption></figure> <figure><img src="/files/Pagf8twkDYh1fbLkL3bn" alt=""><figcaption></figcaption></figure>