Let’s start with our first step:
Open Ports enumerations using basic nmap scan.
From the nmap scan we can see there is one port open i.e., 80
Let’s do a directory brute force using dirb:
from dirb result we come across /dev, /uploads directory, let’s see what’s there using a web browser.
We try to access the php pages and see what’s there.
phpbash.php is a webshell which gives us “arrexel”user level shell and by traversing into diectories we can get the user flag.
Now we are going to upload a php shell into this machine using wget command and we will host that shell from our local machine using python SimpleHTTPServer.
The command to host a directory using python is as follows:
python -m SimpleHTTPServer <PORT>, by default it is 8000
Now from the earlier webshell we will wget a new shell from our machine to the victim’s machine.
we will modify the port for reverse shell and we will use netcat to listen to that specific port (1234 in my case) as per the edited shell above.
Now we will once try to access the uploaded shell from the browser.
Bingo we got the shell, but the shell is a low level www-data shell, we need to go for privilege escalation for root flag.
At first we need to convert this shell into fully interactive shell as shown below:
Cool, Now let’s check for Privilege escalation.
So it can be seen from the above screenshot that the user “scriptmanager” can run the commands as shown above.
Traversing through the directories we found out that there’s one folder “scripts” owned by the user scriptmanager.
Let’s have a look at what’s inside it.
So there are 2 files ; test.py and test.txt.
Upon reading the content of test.py, wwe can understand it is writing a text file test.py and writing “testing 123!” inside it.
Let’s try to run the python code test.py from here and see what do we get:
We don’t have permission to access test.txt.
Let’s see who owns test.txt.
Now, what we’re going to do is we’re going to create one python server from our local machine and host a python reverse shell, which we will wget into the compromised machine and then try to run the script.
Creating python server on your attacker machine to host a directory which contains the python reverse shell.
command: python -m SimpleHTTPServer <PORT>, by default it is 8000
we have used port 9999.
Since the directory scripts on the victim machine already had test.py, so our file will be renamed as test.py.1 automatically.
Anyway we will move the test.py1 to test.py file.
Let’s run this test.py script but before that we will setup a netcat listener for us to receive the reverse shell.
Listener is all set to receive any connection coming to port 3344.
Now running the test.py python reverse shell uploaded using wget above into the machine and see what happens next, will it send the reverse TCP connection on not.
After running the above script we receive a reverse TCP connection on our machine as can be seen below.
Bingo we’re root user now, we can traverse through directories to capture the root flag.
Thanks for Reading, Kindly give a clap if it was any helpful, and suggestion are welcomed.