triodress.blogg.se -

#OBSCURITY FTB CODE#

➜ obscurity nmap -sC -sV -T4 -p- obscurity.htb -oA scans nmap.full -v

#OBSCURITY FTB CODE#

Make a file called BetterSSH.py in it containing the code to spawn a bash.

3.Method Rename the BetterSSH to something else and make your own BetterSSH dir.

Run the BetterSSH.py and grab the hash of rot user.

2.Method Run an infinite loop in to read every file in /tmp/SSH.

1.Method Authorize yourself in the BetterSSH.py.

All used three methods are mentioned below.

the user robert can run BetterSSH.py as root.

Run the python script and got shell as Decrypting the passwordreminder.txt using the output we got.

Crafting a payload and making a python script to execute the payload.

Analyzing the python script that is using exec().

Column Details Name obscurity IP 10.10.10.168 Points 30 Os Linux Difficulty Medium Creator clubby789 Out On Retired on real Journey of obscurity Starts with a wfuzz on the http port 8080 by the file SupersecureServer.py.And got the exact file,Reading the file and analyzing the python code we will get a decrypt the key for the file out.txt and using the key decrypting the passwordreminder.txt and we got one more key that is credentials for user robert.There are Three methods to get root one is intended and another one is unintened, Both are related to that BetterSSH.py In unintended way we just remove/rename the BetterSSH dir and then make your own custom dir and place a file called BetterSSH.py containg code to spawn a bash shell and run the script.The intended way is to executing the original python script as root which is copying the shadow file and after getting hash of user root, crack it with john and we have root user pass.And there is one more intended maethod if your authenticate yourself while running the Python-Script and then you can run commands as root.