# Nmap scans
- light ![[images/Pasted image 20260703210007.png]]
- whelp - maybe we need those `id_rsa` privkeys from DC01
- detailed ![[images/Pasted image 20260703210110.png]]
# SSH connection
- download `id_rsa` privkeys from DC01 ![[images/Pasted image 20260703210233.png]]
- harry and james keys need an accompanying password ![[images/Pasted image 20260703210508.png]]
- we get on 172.16.9.25 as `ssmallsadm` ![[images/Pasted image 20260703210527.png]]
# shell as `ssmallsadm`
- light enum ![[images/Pasted image 20260703210734.png]]
- other networking checks ![[images/Pasted image 20260703210913.png]]
- not much in home dir ![[images/Pasted image 20260703210820.png]]
- OS and kernel versions ![[images/Pasted image 20260703211645.png]]
- limited login shells ![[images/Pasted image 20260703210844.png]]
- pull down `linpeas.sh` from Kali
- check `sudo` ![[images/Pasted image 20260703212041.png]]
- not vulnerable b/c doesn't ask for password ![[images/Pasted image 20260703212222.png]]
- check for `CVE-2021-3560` exploits![[images/Pasted image 20260703212106.png]]
# Polkit exploit
- pull down `traitor-amd64` from Kali and make executable ![[images/Pasted image 20260703212502.png]]
- confirm vuln ![[images/Pasted image 20260703212511.png]]
- exploit > rooted! ![[images/Pasted image 20260703212714.png]]