21 hours 43 minutes
Welcome to part two of the privilege escalation lab. Now we're going to focus on the Lennox box.
So I hinted that it is a web based the foothold.
So we'll just go to this in a browser.
1- five. Now
the name of this box is escalate.
So it's a value box. If you want to
research this with other walk throughs, I suggest that I'm just gonna do one exploitation path
to get to root. There are apparently 11 others,
So try all 11 if you want to.
Um But this is how you get better right through practice.
So Okay, so now I wanna I could use Derby on this.
I told you I like to use what what web to see the technology. Of course we already know this is Apache,
but still what web?
See what we are.
Okay. Nothing, nothing. Earth shattering shattering here, we see is immune to.
So if I run Derby
and I specify for extension PHP
we see we have shelled out PHP. Well that makes things really easy.
So we're user six.
Okay, well let's get a foothold on this machine.
Okay. I said, I don't know. PHP shells aren't aren't the best. So I'm gonna use MSF venom
Payload is going to be Lennox x 86.
We can do interpreter. Let's let's mix things up here.
report equals for
Shell dot elf.
So because I'm using an interpreter, I now have to use
so I can split this.
I am going to do MSF console
now if you use multi handler right.
Use exploit multi handler
Sent. L host 1921681
50 set. Help port
looks right, You run and set this as a job in the background.
So now what would I need to do again is set up my
little server here,
don't specify another poor you can do that.
So now it's on Port 8888.
So what I can do from here
as I can
make sure that.
Okay this is on the desktop
If you try to get this in this directory is not going to work. You don't have permission. So I always like to put things in temp
because it's globally readable. Writable executed. All right.
So first I have to ask that work
and we see the get request here.
So if you want to verify that we of course can do
And we see
that it's there. We did some odd this now
To let it execute commode 777.
And now let's hope that
we can make this execute. It looks like it did.
So our sessions
Let's drop into a shell.
Now you notice this is not the best show in the world.
So what I want to do is bin bash I
and that's much nicer isn't it?
So I want to look for sewage binaries. That's something that I like to do. I don't know what my password is. Right? So if I do Sudo L
while says no T T Y. Present
that this is even it looks nice. It's still a bad shell in my opinion.
but let's try to find sewage binaries
and this is how you do it
as soo ID
And again, I think the bible for this or the manual is Got Milks
Lennox privilege escalation guide.
We'll see something interesting towards the end here.
Okay. I see something called Shell.
Is this a sewage binary?
And who owns it?
we see Root owns this and we see a little less
And we see that we can execute it.
So what if we do that?
You can always see what this is. File. Shell
do strings if you want,
see what's going on in here
and we can always run this.
It's an arrow root.
So that's only one way. There are many, many others. And I would highly recommend
that you explore all those other ways to escalate privileges on this box and that's why I chose it because there's just so many different ways to do it.
So go ahead and find your own way to get to root on this box.