sudo nmap -p- -sS -sV
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Checking out port 80 directs us to a login page on /login.php.

Running against the web server reveals robots.txt

python3 -u -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 –full-url

The contents of robots.txt is shown below:

User-agent: *
Disallow: /
Disallow: /backup
Disallow: /admin
Disallow: /admin_area
Disallow: /r00t
Disallow: /uploads
Disallow: /uploaded_files
Disallow: /flag

Browsing to /admin_area shows the page below.

Viewing the source reveals sensitive information:

We can then login to /login.php with the credentials shown above. The following page reveals a web page for uploading files.

I then uploaded a PHP reverse shell which after upload showed a ‘success’ status message. Knowing the directory /uploaded_files/ exists we can then browse to this followed by the uploaded files name:

The page should hang and we will receive a shell on our netcat listener.

I could not see that Python was installed on this machine so I instead used the following command to upgrade the shell:

/usr/bin/script -qc /bin/bash /dev/null

From here I transferred over linpeas from my attacking machine and let it run. The script picks up the username ‘technawi’ which is an alternative user on the box.

Running cat on the credentials.txt reveals login information. We can then use su to switch to the technawi user.

Checking sudo -l against the user reveals we can any command as any user on this machine.

We can then run the command below to spawn a root shell.

sudo /bin/bash
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *