Php reverse shell terminated immediately2/12/2024 ![]() I checked the tmp directory and got the contents of root.txt Import shutil py(‘/root/root.txt’,’/tmp/dir234.txt’) This must run as a scheduled task running as root, So I tried to edit the file in nano and vi and the shell didn’t respond, so i created a new python script to read the root.txt file and save it to the tmp directory I opened test.py in nano to see what the code is and it just writes a text file with testing123! within it. From the permissions we can see test.py scriptmanager has rights and test.txt root has rights only. I found within the root of the drive a scripts folder which is out of the norm and scriptmanager had rights to this folder. ![]() Now I have more access to the box, I started to hunt round to find any routes to get root access. I can go back and try to run bash as scriptmanager with the following command “sudo -u scriptmanager bash” recall netcat to the foreground by pressing FG and enter. So now I ran python -c ‘import pty pty.spawn(“/bin/bash”)’, background the shell by pressing ctrl+z, typed stty raw -echo. I checked my netcat listener and got a call back with a shell. I browsed to the php page I’ve uploaded via. Started a netcat listener on my machine ‘nc -lvnp 5555’ I renamed the php file as checker.php, just to prevent it conflicting with anyone else’s files. so I decided to see if i can upload a php reverse shell to call back to my own machine.Ĭhanged the ip and port then uploaded it to the box using the same method to upload the LinEnum.sh but saved the file in /var/www/html/uploads So now I decided to create a reverse shell so i can get better control.Įarlier on in the dirbuster scan we found an uploads folder. so I presumed this is a restriction with the web shell. I ran LinEnum and immediatly from the results, we can see that we can run anything as scriptmanager under sudo with no password!!įirstly i tried running sudo -u scriptmanager /bin/bash and it failed to complete. LinEnum.sh and this failed to change the permissions, so tried chmod 777. I tried to run the file but failed on permissions, so used chmod +x. On the web shell I ran wget to download the file wget ![]() I browsed to /dev/shm so I can upload a Linux Priv Esc script.įrom my machine I ran Python -M SimpleHTTPServer in the directory where I keep LinEnum.sh ( ) you can see there was another user account ScriptManager, so will keep a look out for this and see if it can be used later. So now to start a priv esc on the box to get root. I browsed to /home/arrexel/user.txt and cat the results I browsed to /dev/phpbash.php and found we have a web shell running as www-data user. ![]() As I wanted to see if phpbash was available on this server.įrom the initial scan, We can see it’s found an upload directory and a dev directory with phpbash.php and. I had a quick explore of the site and checked all the links and found nothing further, so went back to my dirbuster scans to take a look to see what this has found.ĭirbuster was set to just search files and directories, recursive disabled. So from the site, its listing a web tool to provide a shell to the server and used for pen testing. So took a look at this and ran dirbuster and nikto scan in the background. Bashed box is now retired from hack the box and it was fairly straightforward.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |