Sorcerer
Writeup for Sorcerer from offsec Proving Grounds
Last updated
Was this helpful?
Writeup for Sorcerer from offsec Proving Grounds
Last updated
Was this helpful?
sudo ./nmapAutomator.sh 192.168.197.100 all
Dead end. Ran gobuster, nothing interesting came up.
gobuster dir -u http://192.168.197.100:8080/ -w /usr/share/dirb/wordlists/common.txt -t 40
Another dead end.
Notice there are interesting files at /default/ and /zipfiles/.
We can download all the files and take a look at what's inside.
Using ls -laR, we can see that max has some interesting files.
Looking at the authorized_keys file, we can see that the file scp_wrapper.sh is called whenever a user connects with ssh.
Let's take a look at this scp_wrapper.sh
We can gather a few things from the script. When the user max connects to ssh, he can only execute commands that start with scp.
Since scp runs over ssh, we can use the id_rsa file from max to connect and overwrite the scp_wrapper.sh file with something to help us get an interactive shell.
We can then edit the scp_wrapper.sh file to include the command 'bash'.
We can now connect by SCP and transfer the edited wrapper file using the following command:
scp -i /home/kali/PG/sorcerer/max-home/max/.ssh/id_rsa /home/kali/PG/sorcerer/max-home/max/scp_wrapper.sh max@192.168.197.100:/home/max/scp_wrapper.sh
We then found a dennis user and inside is local.txt.
We can get LinEnum.sh on the machine after starting a python SimpleHTTPServer.
LinEnum shows an interesting SUID file - start-stop-daemon.
A quick search on GTFObins shows us the exact command to run to get root.
/usr/sbin/start-stop-daemon -n $RANDOM -S -x /bin/sh -- -p
