Escalate My Privileges: 1 Walkthrough
reference | Escalate My Privileges: 1 |
target ip | 192.168.1.16 |
Scan with nmap
:

Enumerate port 80 with gobuster
:

Check robots.txt
:

Get a webshell: http://192.168.1.16/phpbash.php
Enumerate the system with limited privilege:

Lots of backup files can be found under /backup/armour
.
Extract:

Check md5sum
:

ncat
present on the target:

Get a reverse shell:

Get user armour
:

wget
has suid privilege:

Backup /etc/passwd
via wget --post-file
:

Generate passwd hash via python3 crypt.
Then upload to the target to overwrite the /etc/passwd
:

Escalate to user root
:

Don’t figure out why access denied when using rsa public key.