HACKDAY: ALBANIA
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj60QnmN7CletR2Tw1wNdShrG68ZvzU0VnFKSTjpJEYY7qfh8yP5UpwnCmxOMf9EeZ8d-LR1OmKo6AzibYayCFoYO0YoxXnuiRAAsM5jh4qOMQWZRPo-Pd07Hu2aI7hzVCyM4jQRKaJc96Z/s1600/screenshot.65.jpg)
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine HackDay Albania
- HackDay Albania can be downloaded from here:
https://www.vulnhub.com/entry/hackday-albania,167/
- Once downloaded Albania and extracted with VirtualBox:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh66GpZYV4r2pWgrCGPFsy9c1KZgIeq8nNMNtvUxvUtmqdQ09HqZYPqWZFy9wvG0X0bAKKC0dtJtuFeycNWy9y2nLpmhpN00Rgh9mUSQ_uMKB0N-hOtgwzveCgyEd9vgEhoIG-HjBqb7gjE/s400/screenshot.33.jpg)
2 - ENUMERATION
- The IP for Albania is 192.168.1.21:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6lLZSwr5wW92pPbvRVWvr8DgAQIANob9SAhDxj2NiFK-jt0L98Yk-uK-8L_oHcfe21VgRKeHKICHvvg80eHxvloLv10rtTafai9kV2DbDUut85DEnVMgLbhenjXzb9eUJ_-uo_BqXf3j5/s1600/screenshot.1.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCPznupiruKkNtfPwZrJApOZSZAjnf7sdTMLtp8g7DaN7eVBAPEPSOI5ljnxPVzW6vDdyLVdr-Q_sXM2smeVDS8NE7NZhK4Hueh5SBP4nNhDVW6-P_XHcVEpWL3ya4a4_Pn4l_Zwl8Lj2b/s640/screenshot.2.jpg)
- Scanning with Nmap there are just two open ports, 22 for SSH and 8008 for HTTP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1vgULdAeBxDiKimYn5RpXThXwjBx-2PR4s1mowknNWPq3BXuK1zfiguyuvyVM-U4ihez72Wi14hss7UDbIHzaJwexNN6sFzbDG-fU3liCCVtIKSIoyvRbd9jvwGu9GRH_MVgMQPX8FF1i/s1600/screenshot.3.jpg)
- Connecting to the web server at port 8008:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfwnQDWHsBv-8bN2zDX45FCh70Sq-9-k7KjbQy7wMKpE09ZeQMTzGl09Cob4P2vu7CDI2Z22c0bQHfQ-Ilwj0p9BSLXvDj66SQwh-S7R4MjodvIspZW4JywOjJDxxQcw6gaA3XlAeuxubm/s400/screenshot.7.jpg)
- Google Translate helps us with Albanian language:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRcVwwCa4irOvMo_gI-W3jTGSbi4kbJ_cA-ltipvTANFDJl7FUhRq6ymQkIGMXcjg2-RDRzgPBEB_YuG5jPVewHZ45GDPmsjjEPSCvtrakhnNLbv9T7K3IK7guJc5KPaTuYgy8wrw4K9jo/s1600/screenshot.61.jpg)
- Viewing the source, there is also another message in Albanian, telling us that this is not the right directory to search for information:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglNYCL2cZvWPJsVqUM2TDZk4ujcI5JrmO2Apd0uAeqgtNSCMJFAoB_jrcJkLnpEOh6ip0zNuo8u6yrWwOnxCs0KPQ62fxvQj-dS9pws2Xoquzqnt7fHJ_JuSHK49CMuCVex6iJBS80Y9uH/s1600/screenshot.21.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB66flGZHyfkUVDya60jHT1OoHiuvkeq0OCp-lxGU0o_YxF6n3bYJQiDkqcvlimzuih_vmIba8b3BwD1ogB4oYDMHlMzDHMdHLVDk86S_zfOSemdxaV-8F1K6wIf6yapwqHilWsj0AVwIb/s400/screenshot.22.jpg)
- Launching nikto against the web server at port 8008 we discover that there are 26 possible directories, all of them listed at robots.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrWBiVZwHPFAEsq3t7s5Sn9FeVDitQ39_fN3RgPGDlIsk_Y8SX1lQrUPRoDIpnBq7CuyAOoZ-ehBamdlj03BH9UzKxdfZpziXGXF2rRMMRQ5u2LNETrT5O-rQdmZrphw2PG2_sP29nei1a/s1600/screenshot.4.jpg)
..................
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXVyAVMY_gIZZRPpAJwTTgNx8FKwkzJzUojqgRV7DXNn275MIiSSo4_AMS0s0VW6dx95cBqY9eFEc1-qLujUXg4gbHnbKDWuqD3iwPQGArOHXIHYhLhpdXdyg6Vw3VqyCdtGLpK9Azvmu0/s1600/screenshot.5.jpg)
- Going directly to robots.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbWxMXkqcyeHF3MRwx_y3DSILtn7TjRQ2b6dPlv11x7lBUybRDQgJ_EdEMn7qCS-fj0ydHTuwZMmpNwLeKM1PNF8olwaTc0AAh1uo3ziunMD6xVOAOv8uuMjVsaRTVCsqHB26_v5ygKLNn/s1600/screenshot.6.jpg)
- All of the directories (except one) answer back with the same image:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhib48aG7AyNod3RurbhK0vgCI52_lO4hQ8g_oS479duVdTrX3MuPrA7yRuHeoNOFJlBfyoQmmjygz6RjCjExzG6L7IafTu5kVn3GmZcweJS68x7soiCPMwX8GR5jKrbX_g-YqvfVy7-_E0/s640/screenshot.9.jpg)
- The translation of the message is doubtful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0zyGTUl8Fcp9fxjVME4HETVx7qzEFGFGKB3m_LEKzn9X0Tv6k3ja2fybTliY3IrUcxM3gtR-M31kMJKc5QN5BW_AzRyRtj5BrYJJfh8RoXVG0vT9Ss2gAYJDOeczHfXgn8iFbJZDg1wOu/s640/screenshot.77.jpg)
- However, when going to unisxcudkqjydw the answer is quite different:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj12Ooe5hvS2f9km7sI_Dx6c8cke-vjPBJZYeVBiDmgbP6ehL2roV2sLYSBbOFNsYNGx8Odh4hHi4vJg9O3eUKVoP9QT2dIfawKCfsB3zhuIQPsk6j0YywZPb_R18OWuH7SLtVVI-i-960o/s1600/screenshot.15.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGewcbbG-4FSTnS54TjxnuDvBikpYWaN2PtrwXIU9hyphenhyphen3BH2uSdTcdJ9TkQVg4d4UeIkaTpS56z8vvtsvk9CeTgknPYqzDV1bwzC5OwTwqSBsiEzDdcJH32truIbDzoYubIT6jTaZmCPDCV/s1600/screenshot.13.jpg)
- Trying a possible vulnbank directory:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaZz5YbzwC9H6UJgdceFwkipkMdbFl9io4A8xjD_CKaF8IO4msAKoxyXRpHzDTBd7YiN2KccCPlSpqcYDXb1RkY0-D2HNUPrXiPTe4xlPo_0jPXSJUPF3ZZnuFGWgqdQoXgv4IvtTnZeZn/s1600/screenshot.12.jpg)
- Clicking client, finally we find something valuable like a login form:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhietY1dxVCqREj0ETSMj8X0gGgl1vVEhaOD3wLATQK-LxyfHUIS8EPeoCXDh_zZgamG-Xc5VFewtgncES7COrcitRcPlqWh_rZgfQIji3tvBfTwP1uAdMa6PTh1A0ejCnBaflussTrRGqW/s640/screenshot.16.jpg)
3 - SQL INJECTION ATTACK
- It is immediate to check that the login form is vulnerable to some type of SQL injection attack, just by entering a quotation mark ('):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgevY84ESWTIjmUeLUa6qrJ_WYNLR-3nxT1jkbLljeC3U9iSqaS_RfB6HzYLe1HIE5WTUsSM3zk70_OttM9oCAQrx8lMjdzldVlSArV8PoAOAfugIWuU-z-II3xDNbWRiEFAXKZR3TdxIqA/s1600/screenshot.19.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqCpdLtqhr7ZABdqwi2gyTD-IzHVlRQ5Kfjlqqt8aifTsiX-JDgKNgLwvXbYvEPnemL_wlWqtFyxQw8xWVjK3MEw9gjbZqycJFhDegzjGZrdEmAQwuW1OWX8LnfEqVGdEG8ZZufE2k1Kph/s640/screenshot.17.jpg)
- Trying different SQL injections ... the result is invalid:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj0kGFlmR8oWIXHdhj0bArOQ5ulvSuP2FyHhmJfwFhuo3-LdenRS4096CXhRVr6Ki4vOQCE8suTndC3Ha0QG7obKTFxMadwQUfnFq9EPvDuZhyTSfbZPJparkeuqfeM8bLXET8r8ZfPksF/s1600/screenshot.70.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYdsQ1sIgTtGpY8BH76-y8ChAqR5QwbzEgxYw-KwBn_1ZmyBrrW2hFVcGsM6X1x0cmmqa5XoFjPyYKAjvqqj5U4oYqHB-o29if1LZ2DrdVEngESS2Q-mMjuZ6KC7l7NEUEn4U4IZiR23lP/s1600/screenshot.71.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAiDcjwmFstGdB7roPoMm5PAOaI8sHpFsmHi1AMYURClzsJC7X8YFM9RX-Pucmlm0GYa1sW8XvYiTjG77Ypk0ki54qwE2JHuPxFooC2L_Wsr86RBnerx5rZ-P-LxvIwc2P-8nSGd9CcaE-/s400/screenshot.69.jpg)
- Thinking on the fact that MYSQL queries are finished with ; and comments with #
https://www.techonthenet.com/mysql/comments.php
- Let's try this input injection:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb7p20-XDZNzVQh-EvCi_L7wZQdvUfFGDGXaHLm627wHnHODU6w01xB_HBjz6bpi-nQ3bo1QrgHrbQ7ti1SHuEf1x0HZv2psr0Uh4lVNE6NqlnMv0Gu6Mr31c06O12_WpGzPQ2OZUxIuDZ/s1600/screenshot.74.jpg)
- It works and the SQL injection is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilcIXpw7pXNYvgOdxFOLdAjqI7YLEUQ6_tEM_arIKllAC1bjUhUWiVmZSp8_ycFAnWWmzCwFZPwGbxs2UAv8pTM89MuT19LvIvPE75qaDB8QXaDOZkTcBhPBXasKGh_rdCXuhxPqJQ8UjN/s640/screenshot.24.jpg)
- Let's notice the interesting option of uploading files:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWowPX6k9pnF7GKmakDnSDMplsBIwC4E-reBwErows7QCPjTEsED2-0zb7zzxlKmXW0OA4fSn1ocegwDOm0C0QHqNH4dACSxGVv8_sdCvPjtGcYCqFIUNpxJ8z8zv-15w196HQHiKvV9es/s1600/screenshot.25.jpg)
4 - REMOTE SHELL WITH WEBSHELL
- Let's try uploading a simple text file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlalHAkyIxYbbBkNeVj4xHXX-EIzaQluivpN77zExIgCxTnZ9NdUw6Gmcsm74IXBDxcWsa8bzEfc2eRqbNpLSG2BKqwyvHjxTUh-d-Om4kwM8Khn3S9uHjQ_Kspw5t1vkcULb-yzIGOfQG/s1600/screenshot.26.jpg)
- The server says that only image files (jpg, jpeg, bmp, ...) are allowed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidB8Gw8rHCdYP-V6XIni5wp6ChMkSlhSGxku52OBRng8gcL9BR7-sMJ3Gj7bB703XSrtezSXx5czU1YnfZQXTWzy60Sj0mfyjnCqkvxKGwRDJ7ekamg7xGd90IoCKdMuTLpS2rOrqej0a4/s1600/screenshot.27.jpg)
- There is a list available of uploaded files:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEittzKSCKdXZB6GxKjnNna2WkmB_epfasNPYc0VYmJp3JIEr2DonOT7ChJJjJEhF94WtWzL9J0ugQLkxDWlQ_tsXGuRTQdwhPWV3sEaaT1CLEZo4oTZ7QmbKruxRLciQIAyFX3I_C3WwAk1/s400/screenshot.28.jpg)
- Now, why not uploading a webshell with the purpose of getting a remote shell? For instance, let's copy php-reverse-shell.php to the working local directory:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxpnotJ6CqKSxsfpcxE8POE1jYYRA4yNCDCeK59mpaGlp7f3xP8xQ0yNIC9YXo1eGTpW3F5c6q6p6rAlXNLqtp_cuBcnImmDn2USs5OGiAUQu0eqqZ5cJ2UAUlX2RScPQ1isLgxjnMAI8o/s1600/screenshot.29.jpg)
- Renaming to .jpeg extension:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizmFY45S-b9F9-87IqoLF_eCOPKtNIDjtWpzLc8FSdaOEnagJ1eaQEMxSDpmrZOzSqX46WSOJuQeuCpMNelKlFBWQvSQ3lqfvFcJDFMwq3s_GdYypRAxmr04i7gLDtg0f1xla8NSQFw0nt/s1600/screenshot.30.jpg)
- Adapting the webshell to our needs:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRa7Ki7n8DJWlLBzOLZ11RYhQ9nomIFrXTKcJQRuNYsWKIUr405EI-A1R5wFmq9RuQXrJWFhbTRoqbLipo6VGAYq_U107sDsbcn4N8ls2bbljN_c3q_FcHK4lVDa4ZqwrLf9jGEre5tptw/s1600/screenshot.31.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT9lXhYdMO_WTgJXFDEgaYLJR5M_FkUcv7OXxW2FiAFt-qzQCnJQ8q-tcxLPz35fK3i9s3Wp_L3DB6Bt8lEqQlEnRHaGadzIYPAkuO0YqnyK-TONPz2O0qJhyXhOonEC_p_qNDdR5iq279/s1600/screenshot.32.jpg)
- Setting a listening Netcat session on port 4444:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtynzH5n9yG5mUVR2EEj06-VcCECvthlNqLxCiNmgOn7mCIc7sqZzYUPMeWje2mE4r3NELMDkzB3SmFO1Cdy9dBMNnhGXLE_La59tahabRGQ9D5REyrzEEPD5XEPcwZPnxt_GVnnmGyS1c/s1600/screenshot.38.jpg)
- Uploading php-reverse-shell-php.jpeg:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAWCG-lsylXIQU1qNI68b0hgNBVec9uTAxmIZjkw0dRnBIdEwvjI5om8dmrDRVLS932HvxCrJPODKnc051NHUO0zVdhf5dBif76PFCPssQ-ogM6zgTleG85fLeYZ08rqZvh2X6DQ8VvsYV/s1600/screenshot.34.jpg)
- The upload is now successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjYKwPhUYTC4bw-tikKA8ersQdMdOVzU1HR3ytAduCnIIWinP28zM85hCvLAGgDSoL1IjJoL1xzntRYPuHoXQ3gdqh8Kf38smvp0XUaQjbzCJoWhyGPH76pCQVRQlYsg2x467G8WsvFV6R/s1600/screenshot.35.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb0U5Z8J5eKWfQolJ1fPS0GXungRDVuQ5CrtQ37S4f4mFD9RQsMSpK5vjkbM8up6DUEkW2fBzfInuYwxYlMIJIYkhFcTTnUZLMA9vhXbxspyI_kCAgReChjpnLrJyY-G6VMo9vKkHI4zaQ/s1600/screenshot.37.jpg)
- To run the webshell just click View Ticket:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhemx-cvnoff_HS_faTHk6KzReUOxquPS2qGIL6mZq-qF8Xk7LR22h7RM5LrLhb3bDM8wcGgsxoYtELO1t4Rg71X-3A8gb5ebxpdI49Z8G1S4Gc115oDnOKpedyM8bKw0qgw1wDnS1hhOIL/s1600/screenshot.66.jpg)
- As a consequence a remote shell is achieved:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPeB02l9mkI2Wdco9OMr-aQ_hxvf1zjLbvQjN-zYgDfzOQ7SgrMcgdov8GaExhrWl5UMh_Qh1mlNo1qEX1ebcb2sFEH4ICr6TTP4r_iZd1qCu0yOsFPWxq2-ZWrNn4KREN6lQkQRzOAZth/s1600/screenshot.39.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0GAvzlpBk-Kh2_TI8qq1RNyCdTex_D8VhYrYnF6fpRTdmw6vtkocJaLuaxUNT6fWExIRwbJZ_3mJgfKI-mdAq9FCjApqJ43YQhCmJas2XDK5EZXVILHfGuzgbmj_iODp0hUbqcPYGQL-d/s400/screenshot.43.jpg)
5 - PRIVILEGE ESCALATION BY EDITING /etc/passwd
- Finding a writable file we discover that /etc/passwd can be modified because it is "world writable":
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQMTnBLX7sm3lKlsyAXNL1Eikm68jbhPIC4myIxkYKFtVCbHxhCICDJInTwRWTN5xPQZ4_Ak51-dunN-9zDBReJ3Z4HaWX2NwpzHrhyr8hr_sN30Ricwzckv-FLUjE8dr9sCPTQ1uNBDFD/s1600/screenshot.76.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9JYQT5M4pzLhfh3yfCzXIeuMduDywKQbNNgx-klWk1-UL1Ad1Qp40tF6mOxcYl3Nmy28Aq85XBzKKoLyCn19dV1LMwVQdgqsrL-HvCiGzjMHom9qW4bL3igya5rJ0VfA6Pe5nTrzOMRsf/s1600/screenshot.44.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQBLo1457jk9VXefsCIdVS2l1FxJ-RrhwFamo0zoeyJBryTYxU_tFYXS1I19BEreJilSODF1w6uQc5fcrqINJi5QueWfefqCwTSq0S2hjw4N27uG3jVXzIRoGdcSA0VrqiEe20D9k-zLGN/s1600/screenshot.42.jpg)
- We can take advantage of this circumstance in two ways:
1) modifying an existing user's credentials
2) creating a new user with root privileges
5.1) modifying an existing user's credentials
- For instance let's focus our attention on the user taviso:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoYWrwogIWPxH0ZTR1VNtFXaWC_xvU3pfQDrZGe2wtUVsq-8963QKZas422Iw_FurHUKYI3GjTHNjb7tfXKQUJRkmNk_mwo7P9XwU38bJYtEnUh0GbAVE3_iJ_GsyyJks4pIfvh2Sv6lO9/s1600/screenshot.67.jpg)
- Openssl helps creating an encrypted MD5 salted password, for instance being hello the salt and bye the password:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLQsTk2F_NX3L60iRgj9XRvbESzZfl5R5owA0fogVPZgHY0eRmtImb4MdPic3NngHcez29xboa2TDV1rysALCwhsV9XvV5dkQkAEWDAh3RzgwTXmsqbW0BIz1c-0NwFh5LISonVBvkjZLJ/s1600/screenshot.45.jpg)
- Now, we must combine the /etc/passwd entry for user taviso and the recently created salted password, just replacing the x in this way:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTyI8VTpp7kTF2iq7-sRLvsgwPcYKVYvRgppYGlZtyWTc9UlNwSEYZ24h752pjUi05WInAA6z4L095SSbbnw5Zy_uOglfzrVtCouK8Z05Z2r6A110s60PVEJrQxvS1ts_kQoRQdg-UB-nB/s1600/screenshot.46.jpg)
- Creating a new file passwd by replacing the taviso entry of /etc/passwd with the last line of previous picture:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVNAbXiIXScuS83TkxMy4jU8mHotoqjJ5I3_V5KTSNWc0K6ZOA1v8BgJvi-oRXnVwCFreBI_XDaDm8A1bLhMkmNCxWcyfvzTXeP4gqvzqd9xkBTTiz5Kenb7rmfAs_7iJ7VTIXpB90Gjdv/s1600/screenshot.52.jpg)
- Transferring passwd to Albania:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4RALQUL4BsSVyrMjNkUTy2qXy_ZJWyAllMpsrE3Za0i15AeYbRU-2hbyH5Ppz70l8cPbZpoCuuMYvgWJHHEPr6Yf9eAFLCEsKByMIC0mlQm8_6xZ63ZxXLFvewKOURyhbrSJWtcKzp6tJ/s1600/screenshot.48.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUj6OFLfc5q1orMTDBkz8bPgfTIQOHRCBJDQHrzqVTizjfONg5nNeZqSiaV9Q-jVFifPetAXXkWYVei90mqCFCnb-InQ3njDbke-DPyX1bFv1u0mk5nuWDZcoELSx_p1fcPx-WW1DhEhA9/s1600/screenshot.53.jpg)
- Once the transfer is successful passwd is copied to /etc/passwd:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1ZdYt3rbRxjue44tSk9pl1Qyvh3ymwf3EK032eY4PdR81k0dF2JZhqZXvDSdH_0yHOy_RkBwIXYnmygA6h5cRLB4og2NoPjBhAc-XndkIOKRWeCZJrZAVnD5jx4sYAUxM-eLdDybIsPM5/s400/screenshot.55.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirh_5EcSFO9LGuBYHgt_dUJQPFwmP3qfUZn6KlGQvshGFF-VJkuzMzzH0IV-JedGU40G3_TzGkxid8-0uvyEWmFDJ5gIHuvabiBzBIqXeYAsVk5-X4nnPUlDlR6fXTORsQ9U7ZnuRKFQ5Z/s1600/screenshot.68.jpg)
- Finally, SSH-ing to albania with new credentials taviso:bye
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMahoN6MLfS3zjWk744vBZqixckkAZQYbHxwxCp_1t_FPrgoXdasv0NYFQCKB-OpRvs_ERmvSwNLo1Lm5nmnHsVCdxBpFbyRCL8YmtDGdX5Ob6QhjOFXZ0zBkNrVe6HKFhP7l0FX1UlNYB/s1600/screenshot.56.jpg)
- Checking sudoer privileges we discover that taviso is able to run ALL commands:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjov5vQX7wumU0B5AbSkzZe6WpMb6AY1aZ9j2QA0Y8aD1mGYAcqDgZWmToC5dNxyRmKLVAbb1qxuFgOtrjbiG0vdhFN22kdY2uc713YZhKPaLKOHB4XMl7EoLBzxv6IRTKae4Bg5S4jOHOJ/s1600/screenshot.58.jpg)
- Getting a root shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-5D2IQMFneYexLoBm2gtAtrt1p53M629WJR9tdgi9NzL8gyKVw1a53hBOLMI4cLuy7TS4vWq2tWD7oLnn8jAECSleFAsuwyyagWOJoHo5jM0bjlNq6qtfXXTEpLMK3X-P1B7xhpi3gmML/s1600/screenshot.57.jpg)
- Also, instead of SSH-ing it could be possible to follow this procedure:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-_BHnuyYMujqWrRwf_qPOkNGwXuZ3wZPzsquI3UgNH_-gMUidYKNcAHJ114ubYyB3Cnfe1lPVLozhFQiDhTKef1or80jQm2eOJCtEKzfVUKMq1TLAaESmhyphenhyphenfZhBNKUn7gsRCuwyoyKIWB/s1600/screenshot.98.jpg)
5.2) creating a new user with root privileges
- Using again openssl:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUYZlosIg-Q-ncetTzIBuEJvoFZZB0Jnjrn5f1YZEAGaRlKMndC-W-rixiwWQy3LjTVba6aA0owRD9jPUi7RuCqeXgaCkHggpdjmKxbbUE8fZ9DGkP-RSNtZpemsLzrqLxh-_Z-yvyXCPD/s1600/screenshot.95.jpg)
- Adding an entry for a new user whitelist and following the procedures in a similar way than 5.1 a), finally we have an /etc/passwd like this:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk2fvm42mY98RotRYaq52yRawkgbqwm2yKXDJuGNkH8KedWClAAO404e3ppIzXM3gImVRue1AMasVxRVAfE8DPkdHBm_TXdMGgA-RfAkWDldlTzRTaogWwrO_GImfsS-SMLCUkP8tqIA4H/s1600/screenshot.96.jpg)
- whitelist is ready to start his login session:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQecOT30aQ08_spOIqh1AFzrYe6sWr1ux2pUvNAA3rc-dolXkERCsgPr981ria8f9raMDG0lRFUw8HmrDTMKtQNh2KZksYV6264PcGKYY7JEab2vf8jfAQERRfP2uExxgkoJWfbMuK3grf/s400/screenshot.91.jpg)
- Improving the shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRHbUxCvNTBpjU7xjityQ7AuLfOtWp3ur0kENqbqoAGMZw7lDlsKeJJi4Km9xH4t4m8Lo6C8Y7-uZtRyiERirSNih_U1xtSuTcUq016m-TD-P7Hh-QFaV0fkP8ymN7G7u59tm3_RcepOqm/s1600/screenshot.92.jpg)
- Now it works, we check that we have successfully added a new user with root privileges:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgchfm34wkBSC-V6uVRvwsd0kQvyhDOCJ7A-wnEqeGqcnJ0zBpHD4OOwd-zJpsS0Wlvz-hgxC8bILXIm3gEzQNQiJK75zWBI9vm64SpNg35Li_nfh3Qjenwus8fN1EErL3-MxZxlUFZXKlh/s1600/screenshot.93.jpg)
6 - CAPTURING THE FLAG
- Going to the /root folder we can read flag.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx8wP3sMMNsICHmnayTNhAM7_PbJzIEkUWbfyxrHolsI-gQckMEYRDqiGg-D2dmEaQ6fXtkykDmIhySoTCTIIP8xH1_EBrtJ-Q8hpXwPvGsR2Z-9eOAPOErbyJEfZ5rfd439PT7x8_94Zq/s320/screenshot.59.jpg)
- Translating flag.txt from Albanian:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCPyQyCT0L3iidJoR8vj8vvheLh8_txp6zZTt8hKXSeFMfS3aoaDc351-Nkz1R0MBWRfnz-PkZ7diOu9Z_-Z7rtUY-kZGVmFDS91mZ5s8Wo-A-vPZIUMmcd2AOf1BrWVobXxEwfBdNy7Ju/s640/screenshot.60.jpg)
- About the last string:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj33vb975xGM1he6Wl-SP7Li_hOgvkzmK91v9pCfjQziGME8KTCv8Zc8V6tM8ESU-fvl8E1s-_e5nnyx7tVcpt76WMI4j6XFNxMWps14FL7UZXocX_7fcYAo7hcZiStDGlAdgcfweVqg2yf/s640/screenshot.79.jpg)