Pwning Photographer!!- OSCP Type Machine Write-up
This is one of the intermediate machine from Offensive Security Proving Grounds!. So let’s dive in as per our goal.
Exporting IP as environment variable and scanned victim’s machine quietly ;-) the results are:
After a shot on port 80, we got:
Same procedure goes with http on port 8000 as shown:
Similarly following the same for Directories as well for port 80,8000.
Found $IP:8000/admin through above results and creds from smb port enumeration, the password as baby####
(I left these symbols to be replaced by your investigation ;-)))
After successful login, import content functionality was allowed, so I uploaded php reverse shell with .jpg entension and intercepted the request with burp and changed the file name back from php-rev-shell.php.jpg back to php-rev-shell.php
After executing the file on the web page, my nc was listening on my machine, and yeah we got a reverse shell
Enumerating the victim’s machine initials:
During reconnaissance, below is the user.txt flag
So after enumerating the target, I checked for SUID binaries and surprisingly found /usr/bin/php7.2
php7.2 was set to suid and we can easily escalate our privileges by using php7.2 like this:
/usr/bin/php7.2 -r "pcntl_exec('/bin/bash', ['-p']);"
Annddd!!! we are root!!!!
That’s all for now!!
Until Next Time,
“Hugs are more powerful than Handshakes”
— — — — — — — — — — — — —
For any suggestions or queries, ping me: