# JISCTF ## Nmap ``` sudo nmap 192.168.152.25 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Checking out port 80 directs us to a login page on /login.php. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-da31a32363397bc0b85dfc361ccbb3431bddf4bb%2Fimage.png?alt=media) Running `dirsearch.py` against the web server reveals robots.txt ``` python3 dirsearch.py -u http://192.168.152.25 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3e865229771efdc1e3cfc45577ab77f56329c5b8%2Fimage.png?alt=media) The contents of robots.txt is shown below: ``` User-agent: * Disallow: / Disallow: /backup Disallow: /admin Disallow: /admin_area Disallow: /r00t Disallow: /uploads Disallow: /uploaded_files Disallow: /flag ``` Browsing to /admin\_area shows the page below. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-18edcddd5b12a4c4d663ff6ef6785088e7034b62%2Fimage.png?alt=media) Viewing the source reveals sensitive information: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9770ee1bc024bd418504e04bcc6913d431dbeb59%2Fimage.png?alt=media) We can then login to /login.php with the credentials shown above. The following page reveals a web page for uploading files. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-cfa8c34241b74cf42a0cae692c3ee3e26c3ab459%2Fimage.png?alt=media) I then uploaded a [PHP reverse shell](https://github.com/pentestmonkey/php-reverse-shell) which after upload showed a 'success' status message. Knowing the directory /uploaded\_files/ exists we can then browse to this followed by the uploaded files name: . The page should hang and we will receive a shell on our `netcat` listener. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3577f6fb47b6cefcc98690e086d6317814c6150b%2Fimage.png?alt=media) I could not see that Python was installed on this machine so I instead used the following command to upgrade the shell: ``` /usr/bin/script -qc /bin/bash /dev/null ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-65ce2a38b895a1b9dd709c2975454f27bb4bb3b0%2Fimage.png?alt=media) From here I transferred over `linpeas` from my attacking machine and let it run. The script picks up the username 'technawi' which is an alternative user on the box. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d8f8b07ed01576ff5837b8f2e0182a7a5d18d773%2Fimage.png?alt=media) Running `cat` on the credentials.txt reveals login information. We can then use `su` to switch to the technawi user. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-178d95db2660f0fcba30b1aa5b0e25faa212a452%2Fimage.png?alt=media) Checking `sudo -l` against the user reveals we can any command as any user on this machine. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-419967ec95570646775ecd69c2e17c148af011c9%2Fimage.png?alt=media) We can then run the command below to spawn a root shell. ``` sudo /bin/bash ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f755ca3c9a9eabde21dec34aca914a156763b851%2Fimage.png?alt=media)