search

CyberSploit1

  1. Started with a TCP scan via Nmap.

Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-09 16:37 IST
Nmap scan report for 192.168.203.92
Host is up (0.073s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA)
|   2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA)
|_  256 ef:43:5b:d0:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Hello Pentester!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.61 seconds

  1. Visited the web page and found the following

3. I checked the source code of the page and found a username at the very end.

  1. itsskv was the username. Maybe it could be used to login via SSH on the target.

  2. Next I ran a directory scan via Gobuster and obtained the following results.

  1. I checked robots.txt and found a base64 encoded string Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0=

  2. I decoded the string and got cybersploit{youtube.com/c/cybersploit}

  3. I initially thought that this was nothing but just a way to promote the given Youtube channel hence I didn't pay much heed to it.

  4. Next I tried logging in via SSH on user itsskv but I still had no password. I ran a Hydra scan on the SSH service but I found nothing.

  5. I then tried the decoded string from two steps before and it surprisingly worked.

  1. I found the first flag in a local.txt file in the working directory.

hashtag
Privilege Escalation

  1. I ran a LinPeas scan and right in the very beginning found this.

  1. The Linux version 3.13.0 was marked an exploitable vector, I looked online for possible kernel exploits for the version and found the following on Exploit DB. https://www.exploit-db.com/exploits/37292arrow-up-right

  2. It was a C script which could give an elevated shell. All that was required was to run the script via GCC.

  3. I dowloaded the script and sent it to the target machine via HTTP. I checked initially if gcc was present on the target and hopefully it was.

  4. I compiled the script using gcc -o exp 37292.c and ran it

  1. I had successfully got root access to the target. Next obvious step was to get the final flag which was sitting in the /root directory.

PreviousEasyNextOnSystemShellDredd

Last updated