Boot2Root ! This can be a real life scenario if rockies becomes admins. Easy going in round about 15 mins. Bit more, if you are find and stuck in the rabbit-hole first.

enumeration

• nmap
• find anon ftp access
• get all zip files – they contain id_rsa keys but are password protected

initial access

• use /usr/sbin/zip2john to get hashes of all zip files
• use john to crack these hashes using your favourite wordlist
• user tom's zip file could be successfully cracked
• extract id_rsa with password
• chmod 600 id_rsa && ssh -i id_rsa $VulnHubIP -v
• we're in 🔓
• grab local.txt

privesc

• sudo -l – prompted for tom's password which we don't have yet
• check all files in directory ls -la
• investigate .bash_history and .mysql_history
• looks like we see a password in mysql history
• we have excessive sudo privileges
• sudo su -l and grab proof.txt 🔚

#vulnhub #ssh #sudo