Bashed
Nmap result:
This made me believe that the port 80 is the only attack vector, maybe somewhere to upload malicious file?
Ran gobuster
gobuster dir -u http://10.129.165.204:80/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/images
/php
/uploads/
/dev/
clicking one of them took me to a web based shell.
PHP version -> PHP 7.0.22-0ubuntu0.16.04.1 (cli) ( NTS )
Upload a reverse shell (pentest monkey script) and go to the directory uploads/php-reverse-shell.php to activate it.
Try to run LinEnum on it (uploaded via python HTTP server & wget - no curl downloaded )
the shell was not accessible (tty not present) so I just used the python command to call it.
Once you get the shell, you can go into the script manager's bash
there's text.py script that's running every min (run "date" & "ls -la" to confirm it)
replace it with the following script
How does it call root?
because the text file was the root!
Last updated