80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
5488/tcp filtered unknown
10459/tcp filtered unknown
11833/tcp filtered unknown
15168/tcp filtered unknown
27876/tcp filtered astrolink
37122/tcp filtered unknown
45155/tcp filtered unknown
53415/tcp filtered unknown
This made me believe that the port 80 is the only attack vector, maybe somewhere to upload malicious file?
gobuster dir -u http://10.129.165.204:80/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
clicking one of them took me to a web based shell.
PHP version -> PHP 7.0.22-0ubuntu0.16.04.1 (cli) ( NTS )
Upload a reverse shell (pentest monkey script) and go to the directory uploads/php-reverse-shell.php to activate it.
the shell was not accessible (tty not present) so I just used the python command to call it.
Once you get the shell, you can go into the script manager's bash
sudo -u scriptmanager bash
there's text.py script that's running every min (run "date" & "ls -la" to confirm it)
replace it with the following script
How does it call root?
- because the text file was the root!