By: Nicholas Werner
Starting off with an nmap scan
We are going to use GoBuster to enumerate files and directories.
Install GoBuster with the command below:
We want to visit the web page to see if we can find anything interesting.
Through GoBuster we were able to find this /internals page which appears to allow us to upload a file.
We find out that .PHP files are not allowed to be uploaded.
.PHP, .PHP3, .PHP4, .PHP5, and .PHTML are all the PHP file types that we could try so that we could upload a PHP reverse shell.
.PHTML ends up being allowed so we can create our reverse with this file type.
We want to find pentestmonkey’s PHP reverse shell.
Copy this code.
Create a new file for this shell and name it php-reverse-shell.phtml so that we can upload it.
Change the IP to your tun0 and change the port to anything you would like, I did 4444 for simplicity sake.
Start a netcat listener to listen on port 4444.
Click Browse on the upload website, find your php reverse shell, and click Submit.
Now go to /internal/uploads/php-reverse-shell.phtml as shown below.
We now have a reverse shell!
whoami would usually show what user we are but after typing the command ls -la we can see that we have a user named bill.
If we cd into bill we can see the user.txt file so when we cat it out we find the first flag!
Now we want to see if any linux files have the SUID file permission that aren’t supposed to have it so that we can exploit it and escalate our privileges.
Once we enter the command below find / -user root -perm -400 -print 2>/dev/null we can see that /bin/systemctl stands out.
Now we go into the /opt folder for the next task.
We search GTFOBins for systemctl SUID privilege escalation.
The first thing we need to is create an environment variable with priv=$(mktemp).service
Now we need to create a unit file and assign this to the environment variable with the next 4 commands as shown below.
What we have done here is to simply create a service which will be executing “BASH”, then reading the flag from the root directory and then writing it in the flag (file) in /opt directory.
Now we need to run this unit file using systemctl with /bin/systemctl enable — now $priv
Finally, we just need to get the flag with ls and cat flag!