Nmap result:

80/tcp    open     http      Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
5488/tcp  filtered unknown
10459/tcp filtered unknown
11833/tcp filtered unknown
15168/tcp filtered unknown
27876/tcp filtered astrolink
37122/tcp filtered unknown
45155/tcp filtered unknown
53415/tcp filtered unknown

This made me believe that the port 80 is the only attack vector, maybe somewhere to upload malicious file?

Ran gobuster

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt





clicking one of them took me to a web based shell.

PHP version -> PHP 7.0.22-0ubuntu0.16.04.1 (cli) ( NTS )

Upload a reverse shell (pentest monkey script) and go to the directory uploads/php-reverse-shell.php to activate it.

Try to run LinEnum on it (uploaded via python HTTP server & wget - no curl downloaded )

the shell was not accessible (tty not present) so I just used the python command to call it.

Once you get the shell, you can go into the script manager's bash

sudo -u scriptmanager bash 

there's script that's running every min (run "date" & "ls -la" to confirm it)

replace it with the following script

import socket,subprocess,os

How does it call root?

  • because the text file was the root!

Last updated