> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/jisctf.md).

# JISCTF

## Nmap

```
sudo nmap 192.168.152.25 -p- -sS -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Checking out port 80 directs us to a login page on /login.php.

![](/files/-MXSjbNUJMIEIDMr9Wka)

Running `dirsearch.py` against the web server reveals robots.txt

```
python3 dirsearch.py -u http://192.168.152.25  -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url  
```

![](/files/-MXSjqC4xGitsm3GH5s3)

The contents of robots.txt is shown below:

```
User-agent: *
Disallow: /
Disallow: /backup
Disallow: /admin
Disallow: /admin_area
Disallow: /r00t
Disallow: /uploads
Disallow: /uploaded_files
Disallow: /flag
```

Browsing to /admin\_area shows the page below.

![](/files/-MXSkJ7C8pmJ9TKwELH-)

Viewing the source reveals sensitive information:

![](/files/-MXSkQZpxle-qrnYOViz)

We can then login to /login.php with the credentials shown above. The following page reveals a web page for uploading files.

![](/files/-MXSkeVSENJIMdRWnDtd)

I then uploaded a [PHP reverse shell](https://github.com/pentestmonkey/php-reverse-shell) which after upload showed a 'success' status message. Knowing the directory /uploaded\_files/ exists we can then browse to this followed by the uploaded files name: <http://192.168.152.25/uploaded_files/phpshell.php>.

The page should hang and we will receive a shell on our `netcat` listener.

![](/files/-MXSlabH7I3RaXmGF74A)

I could not see that Python was installed on this machine so I instead used the following command to upgrade the shell:

```
/usr/bin/script -qc /bin/bash /dev/null
```

![](/files/-MXSlsBiqKF0Di1hb73q)

From here I transferred over `linpeas` from my attacking machine and let it run. The script picks up the username 'technawi' which is an alternative user on the box.

![](/files/-MXSwFTrbJ0ZwNhv8sdb)

Running `cat` on the credentials.txt reveals login information. We can then use `su` to switch to the technawi user.

![](/files/-MXSwTHwIUXRrt8TEo79)

Checking `sudo -l` against the user reveals we can any command as any user on this machine.

![](/files/-MXSwbbZhq-Fszr7xMMQ)

We can then run the command below to spawn a root shell.

```
sudo /bin/bash
```

![](/files/-MXSwpjKaxZrLFxqbufN)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/jisctf.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
