As we can see there are two ports; 22 (ssh) and 80 (http). Let’s focus more on port 80 as this is more likely to give us an entry point.
- Scan the machine, how many ports are open?
- What version of Apache is running?
- What service is running on port 22?
The website doesn’t show anything aside from the text above. The page source also doesn’t show anything interesting.
Time to enumerate!
That /panel looks interesting. Let’s take a peek.
- What is the hidden directory?
This is perfect. This could allow us to upload a web shell.
There are lots of available web shells out there but I’ll be using this one from Pentest Monkey.
Looks like uploading php files is not permitted.
I found 3 references on how to bypass php file upload restrictions like this one. The easiest method would be to change the file extension to something like “phtml”
We might as well start our netcat listener in case it’s successful.
We’ve successfully uploaded the shell! Now we just need to trigger it.
We have now a shell
Finding the User flag
We have to find a file that has a SUID permission set.
That python file looks interesting since python doesn’t usually have this kind of permission.
- Search for files with SUID permission, which file is weird?
For this system binaries exploit like this we have to refer to GTFObins.
We are now root!