Pwning Photographer!!- OSCP Type Machine Write-up

This is one of the intermediate machine from Offensive Security Proving Grounds!. So let’s dive in as per our goal.

Greetings!!!,

Okay so…

Target: 10.0.2.9

Exporting IP as environment variable and scanned victim’s machine quietly ;-) the results are:

After a shot on port 80, we got:

Same procedure goes with http on port 8000 as shown:

Similarly following the same for Directories as well for port 80,8000.

Found $IP:8000/admin through above results and creds from smb port enumeration, the password as baby####

(I left these symbols to be replaced by your investigation ;-)))

After successful login, import content functionality was allowed, so I uploaded php reverse shell with .jpg entension and intercepted the request with burp and changed the file name back from php-rev-shell.php.jpg back to php-rev-shell.php

After executing the file on the web page, my nc was listening on my machine, and yeah we got a reverse shell

Enumerating the victim’s machine initials:

During reconnaissance, below is the user.txt flag

PRIVILEGE ESCALATIONS

So after enumerating the target, I checked for SUID binaries and surprisingly found /usr/bin/php7.2

php7.2 was set to suid and we can easily escalate our privileges by using php7.2 like this:

/usr/bin/php7.2 -r "pcntl_exec('/bin/bash', ['-p']);"

Annddd!!! we are root!!!!

That’s all for now!!

Until Next Time,

“Hugs are more powerful than Handshakes”

— — — — — — — — — — — — —

For any suggestions or queries, ping me:

https://www.linkedin.com/in/user-neeleshpatel/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |