search
GitHubPsMapExec

Dawn

hashtag
Nmap

sudo nmap 192.168.152.11 -p- -sS -sV

PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.38 ((Debian))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.5.5-10.3.15-MariaDB-1
Service Info: Host: DAWN

On port 445 we are able to list shares without credentials. We see the share ITDEPT is open to us.

smbclient -U '' -L \\\\192.168.152.11\\

Connecting then directly to the ITDEPT share.

I then used curl to test for file upload on the share and confirmed was able to upload a PHP reverse shell which might come in handy for later.

Running dirsearch.py on port 80 reveals two interesting directories.

Moving into logs shows the a list of logs where management.log is the only one we have permission to access

When reading the log file we have the lines below appearing frequently.

Knowing that we have write access to the ITDEPT share we can upload a reverse shell call it web-control and in theory this should execute.

Firstly I created a file called web-control and inserted a netcat reverse shell into it

This was then uploaded to the SMB share.

After doing so I soon receive a shell back on my netcat listener.

Then we can upgrade the shell to something nicer.

After doing so I then transferred over linpeas from my attacking machine by uploading to SMB. After running linpeas we identify the binary zsh as having the SUID bit set.

As zsh is a shell binary all we need to do is execute the full path of zsh to gain a root shell.

Last updated