JACOB-THE-BOSS

My solution to this box.


This box’s difficulty is medium

First we use one of the most popular scanning tool in our toolkit to scan the host IP
nmap
> nmap -sS -sC -sV <machine_IP>

here we discovered several ports that are opened
Port 22 is open
Port 80 is open
Port 111 is open
Port 1090 is open
Port 1099 is open
Port 1098 is open
Port 3306 is open
Port 3873 is open
Port 4445 is open
Port 4457 is open
Port 4446 is open
Port 4444 is open
Port 4713 is open
Port 4712 is open
Port 8009 is open
Port 8083 is open
Port 8080 is open
Port 46391 is open

Now i used a tool called DIRB to bruteforce directory for hidden directory and file on the host address using port 8080
> dirb http://<machine_IP:port>

After bruteforcing the directory i found several directories associated with the host address

i begin to navigate to those discovered directories and only one excites me which is were we will focus on to exploit the machine to gain initial entry
> http://<machine_IP:port/directory>

now when i visit the directory on my web browser i discovered the service version on which it was running on and i decided to further enumerate
using google, I found an exploit tool which I’ll use to exploit the machine to gain a shell

now I run the tool against the target IP and I gained a shell.

But before doing all this i first setup a listener on my machine using NCAT to listen for connection on my machine. the main purpose for this is to get an elevated interactive shell that allows use to run more commands.

now I’ve gained access to the target machine. and I navigated to home/jacob/user.txt to get my first flag

TIME TO GET ROOT FLAG
what i did here is to look for suid binaries files for my user using this cmd
> find / -perm -u=s f 2>/dev/null

so I began checking all the suid binaries. I got a hit on pingsys.
> /usr/bin/pingsys ‘127.0.0.1; /bin/sh’

Now get the root flag.

REGARDS

NIRU IFEDINIRU OZIOMA