`First , we do Nmap scan for opening ports and we found:`\
`port 21(ftp)`\
`port 22(ssh)`\
`port 53(dns)`\
`port 80(http)`\
`port 139(smb)`\
`port 445(smb)`
`smbclient L //hermoso.local/ Found secret share`
`smbclient //hermoso.local/secret`
Port 80 web login , notice software application version is also there
Google search the exploit and found one , insert accordingly
 
Successful executing the exploit created a php web shell with a parameter "cmd"
We insert a reverse shell bash one liner with url encoding and open a listener to get reverse shell
Nagivate around and we found a user name "chris" and a password in the "wp-config.php.bak" file.
ssh into the user chris with the provided password , we get the user flag.
Listing what Chris can do as sudo shows that he/she can run a script called "CopySSHKey" as sudo.
addkey()
1. The variable tmp will create tmp file at /ssh\* randomly
2. touch $tmp creates and executes the tmp file
3. Then the predefined ssh will be echoed into the tmp file
4. checkfile() check for file error
5. Finally it is echoed into root's authorized\_keys
This means that if we echo our public key into it , we can use our private key to login
We generate our own ssh key and copy the public key
So we echo our key into any ssh\* random file name that is created through the script
Script is available at my github :
Then , we run it before running the sudo script at background
Then we run the sudo script
And we check our ssh access
Note : First time might not work because our script is slower than the ./script.sh so we try run the script again
Unintended way : Kernal exploit does not work
