RootMe
November 20, 2022
Reconnaissance
Scan the machine, how many ports are open? 2
What version of Apache is running? 2.4.29
What service is running on port 22? SSH
What is the hidden directory? /panel/
Although its loud and an overkill, here is the information from the nmap scan:
Then the hidden directory with dirb:
Getting a Shell
On http:<IP>/panel/ there is a file upload that forbids .php file uploads.
First I set up my nc listener on my attacking machine. It then took me a minute because I had to figure out which extensions would be filtered out. You can see I had tried many extensions to bypass the filter. However the phpRS.phtml file led me to success. There was a great resource to help understand file upload restrictions: https://lazarv.com/posts/bypassing-file-upload-restrictions/
Once I was in the /uploads directory I simply clicked on my file and was granted a shell on my attacker machine. I then used the find command to find which directory the flag "user.txt" would be in.
Privilege Escalation
Using find again to search for SUID permissions, I find /usr/bin/python. This can be exploited using GTFObins.
/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'I am then granted root privileges!
Last updated