This began with Nmap which revealed two open ports.
Press enter or click to view image in full size
The SSH version is relatively up to date so I did not bother with it.
A quick Google search revealed that the default MariaDB username is ‘root’. Using this information, I initiated Medusa to brute force MySQL.
Press enter or click to view image in full size
The credentials let me log in to the SQL server.
Press enter or click to view image in full size
I found two pieces of date in a table called ‘fernet’. Looking up fernet, I found an online decoding tool.
Press enter or click to view image in full size
It looked like the decoded data is a username password pair. Attempting this on SSH works.
Press enter or click to view image in full size
I’m in.
Get Substing’s stories in your inbox
Join Medium for free to get updates from this writer.
I looked at sudo permissions and found a python script that was executable as root.
Press enter or click to view image in full size
Press enter or click to view image in full size
It takes user input and runs it in the exec() method. exec() interprets anything passed into its parameters as python code.
Press enter or click to view image in full size
Using the ‘os’ module, I was able to open a shell as root.
Press enter or click to view image in full size
That completed the box.