Reverse shell and privilege escalation Final Project Walkthrough

Written By Nadia Diaz

This is the guide to how I solved part of my final cybersecurity project. This assignment was focused on penetration testing. Our task was to successfully obtain access to a vulnerable Docker container by using our Kali Linux VM. After this, we had to obtain root access.
Here are the steps I took in order to achieve that.

My first step was to set up Docker on my Kali Linux VM. However, I encountered memory space limitations that prevented the Docker container from running properly. After multiple troubleshooting attempts — including reinstalling Docker and trying an Ubuntu VM — I ultimately opted for a clean reinstall of Kali.

To avoid the previous installation issue, I used the following command instead of the original Docker setup:

sudo apt-get install docker.io -y

Once I confirmed that the docker container was successfully running, I got to work. I checked for any running web services by using the web browser, and navigating to http://localhost:8080

This loaded and Apache default landing page, confirming the server was active. I attempted to discover additional directories by brute-forcing the URL using Gobuster.
After running the command :

gobuster -u http://localhost:8080 -w wordlist.txt dir

I successfully discovered:

http://localhost:8080/robots.txt

Although access was restricted, upon inspecting the site, I found a message from user Ann which contained user Rick’s password hash, and mentioned that SSH was disabled. I extracted Rick’s password hash and used CyberChef to identify and decrypt the hash format. This revealed that the password was qwerty. However, since ssh was disabled, I had to find an alternate way of connecting. I used nmap to check which other ports were available and found that port 2121 was open and running. This meant I could try to connect using fltp -p 2121 -u rick localhost and using the password qwerty. Once inside, I ran ls -a , but permissions were restricted, I could not access any directories nor retrieve any of the files directly. 

To bypass these restrictions, I decided to upload a php reverse shell which I found online. I customized the file by editing the IP and port numbers, then used the put command to upload it to Rick's system via FTP. I also started a listener on my machine using:
nc -lvnp 4444

I then triggered the reverse shell by navigating to my uploaded php file in the browser. This gave me a shell session on the target machine as rick, allowing me to navigate to his .ssh directory and find the id_rsa file. Since downloading it was not an option, I opened it in a text editor and copied the contents of it into a text file inside of my own VM. I saved it as id_rsa and changed it’s permissions using

chmod 600 id_rsa

I used ssh2john id_rsa > hash.txt in preparation for using john the ripper and then ran

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt this revealed the password: password. Now I could connect to Ann using

ssh -F /dev/null -i id_rsa -o IdentitiesOnly=yes -p 2222 ann@127.0.0.1 and the password.

Once there, I explored the directories with ls -a and found the file : /usr/bin/special_file . I inspected it a bit more by trying to cat it and then trying to run it. When I ran it, I gained root access!

Nadia Diaz
Next

That Naiad: an Introduction