# Sorcerer

## Information Gathering

`sudo ./nmapAutomator.sh 192.168.197.100 all`

![](/files/kxOvpYLaUh4XbgwMYPVI)

![](/files/JWzVPJrjhTjlDBjGX56K)

### Service Enumeration

### HTTP (Port 80)

Dead end. Ran gobuster, nothing interesting came up.

![](/files/V9Pg1oG5WeKliMJF85iT)

### HTTP (Port 8080)

![](/files/Nyc4ZjQAzACxNbvRls0c)

`gobuster dir -u http://192.168.197.100:8080/ -w /usr/share/dirb/wordlists/common.txt -t 40`

![](/files/HfhoNAullGH6s1t602MF)

Another dead end.

### HTTP (Port 7742)

Notice there are interesting files at `/default/` and `/zipfiles/`.

![](/files/o57fcH8m2CAOvujZBbPr)

## Exploit

![](/files/xZ6nzk8v8lmgKW2R8cHr)

We can download all the files and take a look at what's inside.

Using `ls -laR`, we can see that max has some interesting files.

![](/files/JdvkjQeeXjYbMQsl9ldX)

Looking at the `authorized_keys` file, we can see that the file `scp_wrapper.sh` is called whenever a user connects with `ssh`.

![](/files/vznnnnQhsR3lenxtFPR4)

Let's take a look at this `scp_wrapper.sh`

![](/files/Z6zbeVCu9zLmRpU8Da53)

We can gather a few things from the script. When the user max connects to `ssh`, he can only execute commands that start with `scp`.

Since `scp` runs over `ssh`, we can use the `id_rsa` file from max to connect and overwrite the `scp_wrapper.sh` file with something to help us get an interactive shell.

![](/files/UG3xoMvhR3WBOOyYNtMK)

We can then edit the `scp_wrapper.sh` file to include the command 'bash'.&#x20;

We can now connect by SCP and transfer the edited wrapper file using the following command:

`scp -i /home/kali/PG/sorcerer/max-home/max/.ssh/id_rsa /home/kali/PG/sorcerer/max-home/max/scp_wrapper.sh max@192.168.197.100:/home/max/scp_wrapper.sh`

![](/files/lbbMbbJhfaTLof2g52zq)

![](/files/7j0N6KiPIzdUS3EUxqU8)

We then found a dennis user and inside is local.txt.

![](/files/76sRRW98Wy1J8J3PURov)

## Privesc

We can get `LinEnum.sh` on the machine after starting a python SimpleHTTPServer.

&#x20;

![Starting the SimpleHTTPServer on our attacking machine](/files/Yj24UlWuuHUxL8ytcmng)

![Got our LinEnum.sh on the victim machine](/files/Yh2ezP4TbCQq8KNrHQEz)

LinEnum shows an interesting SUID file - start-stop-daemon.

![](/files/M3xmpJ5Nb3mORa67mhZ9)

A quick search on GTFObins shows us the exact command to run to get root.

{% embed url="<https://gtfobins.github.io/gtfobins/start-stop-daemon>" %}

`/usr/sbin/start-stop-daemon -n $RANDOM -S -x /bin/sh -- -p`

![](/files/byxfBcnmmIOqSnWkbX8w)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infintesky.gitbook.io/pentesting/proving-grounds/get-to-work/linux/sorcerer.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.