This page looks best with JavaScript enabled

Vulnversity

 ·  ☕ 1 min read  ·  ✍️ M4t35Z

Learn about active recon, web app attacks and privilege escalation.

Enumeration

Nmap

nmap
Open ports are:

  • 21 - vsftpd 3.0.3
  • 22 - ssh
  • 139 - smb
  • 445 - smb
  • 3128 - Squid http proxy 3.5.12
  • 3333 - Apache httpd 2.4.18 ((Ubuntu))

Dirsearch

dirsearch
There is /internal this is a file upload page
upload

Trying to get a shell

  • Some exensions are blocked like .php
    Fuzz what we can upload.
    We could upload .phtml

  • Just rename a default php-reverse-shell.php to anything.phtml
    Upload it!
    But we dont know where it is.
    Dirsearch again in /internal
    There is /internal/uploads
    Go to /internal/uploads/php-reverse-shell.phtml
    And we GOT THA SHELL

    cat /home/bill/user.txt

    And we got the user flag too.
    usertxt

Privesc

  • Search for suid’s

    find / -perm /6000 2>dev/null | grep bin

    /bin/systemctl stands out maybe we can use it to get root
    GTFOBins
    Use it and cat /root/root.txt to /tmp/output
    roottxt

Share on
Support the author with
M4t35Z
WRITTEN BY
M4t35Z

See Also