Escalate My Privileges: 1 Walkthrough

Reasonable Doubt

2020-03-30 (Updated: 2020-04-01)

vulnhub

reference	Escalate My Privileges: 1
target ip	192.168.1.16

Scan with nmap:

Enumerate port 80 with gobuster:

Check robots.txt:

Get a webshell: http://192.168.1.16/phpbash.php

Enumerate the system with limited privilege:

Lots of backup files can be found under /backup/armour.

Extract:

Check md5sum:

ncat present on the target:

Get a reverse shell:

Get user armour:

wget has suid privilege:

Backup /etc/passwd via wget --post-file:

Generate passwd hash via python3 crypt.
Then upload to the target to overwrite the /etc/passwd:

Escalate to user root:

Don’t figure out why access denied when using rsa public key.