User Home Directory Enumeration

$ cat .ssh/id_rsa
$ vim id_rsa_bee
$ chmod 600 id_rsa_bee
$ ssh -i id_rsa_bee root@192.168.1.61
$ cat .mysql_history
$ cat .bash_history

Some Softwares Example for Privilege Escalation

Look for data in the firefox default folder.

$ cd ./mozilla/firefox

FIREFOX DECRYPT is a tool for extracting passwords from profiles of Mozilla (Fire/Water)fox™, Thunderbird®, SeaMonkey® and derivatives.

DUMPZILLA

Tenet is a Medium difficulty machine that features an Apache web server. It contains a Wordpress blog with a few posts. One of the comments on the blog mentions the presence of a PHP file along with it’s backup. It is possible after identificaiton of the backup file to review…

ScriptKiddie is an easy difficulty Linux machine that presents a Metasploit vulnerability (CVE-2020–7384), along with classic attacks such as OS command injection and an insecure passwordless sudo configuration. Initial foothold on the machine is gained by uploading a malicious .apk file from a web interface that calls a vulnerable version…

Laboratory is an easy difficulty Linux machine that features a GitLab web application in a docker. This application is found to suffer from an arbitrary read file vulnerability, which is leveraged along with a remote command execution to gain a foothold on a docker instance. By giving administration permissions to…

Time is a medium difficulty Linux machine that features an online JSON parser web application. This application is found to suffer from a Java Deserialization vulnerability, which is leveraged to gain a foothold on the box. Post-exploitation enumeration reveals that a system timer is executing a word-writable bash script. …

Academy is an easy difficulty Linux machine that features an Apache server hosting a PHP website. The website is found to be the HTB Academy learning platform. Capturing the user registration request in Burp reveals that we are able to modify the Role ID, which allows us to access an…

Lovelesh Gangil

DFIR | ICSI (CNSS)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store