# Nmap scans - light ![[images/Pasted image 20260703210007.png]] - whelp - maybe we need those `id_rsa` privkeys from DC01 - detailed ![[images/Pasted image 20260703210110.png]] # SSH connection - download `id_rsa` privkeys from DC01 ![[images/Pasted image 20260703210233.png]] - harry and james keys need an accompanying password ![[images/Pasted image 20260703210508.png]] - we get on 172.16.9.25 as `ssmallsadm` ![[images/Pasted image 20260703210527.png]] # shell as `ssmallsadm` - light enum ![[images/Pasted image 20260703210734.png]] - other networking checks ![[images/Pasted image 20260703210913.png]] - not much in home dir ![[images/Pasted image 20260703210820.png]] - OS and kernel versions ![[images/Pasted image 20260703211645.png]] - limited login shells ![[images/Pasted image 20260703210844.png]] - pull down `linpeas.sh` from Kali - check `sudo` ![[images/Pasted image 20260703212041.png]] - not vulnerable b/c doesn't ask for password ![[images/Pasted image 20260703212222.png]] - check for `CVE-2021-3560` exploits![[images/Pasted image 20260703212106.png]] # Polkit exploit - pull down `traitor-amd64` from Kali and make executable ![[images/Pasted image 20260703212502.png]] - confirm vuln ![[images/Pasted image 20260703212511.png]] - exploit > rooted! ![[images/Pasted image 20260703212714.png]]