Escalate My Privileges: 1 Walkthrough

reference Escalate My Privileges: 1
target ip 192.168.1.16

Scan with nmap:

Enumerate port 80 with gobuster:

Check robots.txt:

Get a webshell: http://192.168.1.16/phpbash.php

Enumerate the system with limited privilege:

Lots of backup files can be found under /backup/armour.

Extract:

Check md5sum:

ncat present on the target:

Get a reverse shell:

Get user armour:

wget has suid privilege:

Backup /etc/passwd via wget --post-file:

Generate passwd hash via python3 crypt.
Then upload to the target to overwrite the /etc/passwd:

Escalate to user root:


Don’t figure out why access denied when using rsa public key.