Difficulty: Easy to Medium
Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox)
Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).
This is another box from the same people who made Chili and Cherry, but it’s rated easy to medium rather than just easy, so presumably it’s a little more challenging.
nmap
This time we get just two ports, 80 and 7120. 80 is HTTP, and 7120 is running SSH.
Enumerating the webserver doesn’t turn up anything except /info.php which displays phpinfo. By itself; not useful.
SSH
Welp, let’s bruteforce SSH then lol:
That was pretty easy, so presumably it’s what we were supposed to do.
Privesc
Once we SSH in as potato we run linpeas as usual; we are on an older Ubuntu build here and it highlights our kernel (3.13.0) as vulnerable. Googling around we find this, an exploit for CVE-2015-1328, a Local Privilege Escalation vulnerability in ‘overlayfs’. I wonder if it works?
Well, that’s a yes it does. Still falls in the easy category for mine. The next one will probably kick my butt.