Following the previous article where all exploits failed , there are still 2 doors down :
- Nmap be abit old
- Go for some “GRUB“.
Nmap be abit old
Now for this bit nmap is old its version 3.81. This can be abused via the –interactive option. More information on this can be found here. But basically this is how it goes down.
- Login with the chicken account acquired in key 2
- load nmap interactive
- drop to shell as root
- go to root folder and get key then decode it.
Option 2 not the best but works , it would encompass a threat where you have physical access to the machine not a remote shell;
Go for some GRUB
Now for this we will simply be seeking to change options at boot time.
- Select the recovery mode boot entry in the GRUB menu and press
eto edit the line.
- Select the kernel line and press
eagain to edit it.
- Remove the ro setting on the line that loads and switch it to rw – Traditionally the kernel starts with the disk in read-only mode and a process later on checks the integrity of the disk before switching to read-write.
init=/bin/bashat the end of line – When the machine boots, it runs a program called init, usually found at
/sbin/init. It’s purposed to perform all the system startup and creation of a usable environment ; this tells the kernel to run
- press b to boot the system
- Use the
passwdcommand to create a new root password.
- reboot the system
- Login with the new account
- Get the key
And that concludes key 3: