Potato gives reference to a machine that does the square root of zero, a bit like a potato. The website running has nothing but an index page and a phpifno() page that I didn’t find anything of use on. That only leaves brute forcing the SSH login with the hint given by the box authors that the lab name, Potato, has something to do with it. Finish off with a kernel exploit and call it a day.
Enumeration
Standard nmap scan:
1
nmap -sC -sV -p- $ip
Just an http server on port 80 and SSH login on port 7120, which will not be found if you do not run an all ports scan since it is not a top 1,000 port.
Running FFuF with a medium wordlist brings up nothing and running a big wordlist finds nothing other than a phpinfo() page, which left me none the wiser.
That leaves only SSH brute forcing. I take the author’s hint and grep out ‘potato’ from the rockyou.txt wordlist, which gives me over 770 words. You had no idea there were so many potato based passwords, did ya? I also made a short user list since I had seen nothing resembling a user name.
1
cat rockyou.txt | grep potato
1
hydra -v -V -u -L potato_user.txt -P /root/RockYou/potato.txt -t 4 -u $ip ssh -s 7120
I let this run to completion and walk away with nothing. Starting to feel like a bad night in Vegas. And I’m not even getting free drinks!
There’s no other obvious path, and the box authors wouldn’t put a hint there for nothing unless they were truly sick bastards, so I change the user to potato and run that against the entire rockyou.txt password list, not hoping for much.
1
hydra -v -V -u -l potato -P /root/RockYou/rockyou.txt -t 4 -u $ip ssh -s 7120
I let this run and do something more productive. Actually, I just used the internet for it’s intended purpose - funny cat videos. Imagine my surprise when I checked in on hydra and found this:
I SSH into the box without a problem and do the usual checks to find that there’s no other users, no fun files and I can’t use sudo; nothing even worthy of a screenshot. I don’t waste any time uploading my enumeration tools. I run my go-to tool, lse.sh and it doesn’t come back with anything other than some cron jobs which don’t look too hopeful. Next step is to run linPEAS.sh which lights up the kernel straight away.
I go straight to the Exploit Database while linPEAS finishes it’s scan and find a familiar exploit. https://www.exploit-db.com/exploits/37292
To try and reduce “machine gunning” exploits at the box and hoping for the best, I also run Linux Enumeration Script to see if there are any common exploits, and there are.
Exploitation
The machine has gcc on it and it’s a straight forward compilation (with instructions, thank you!).
I am root!
I think I’ve got the screen recording figgered out, so here’s the link to the video: