Write-up

Step-by-step guide on the approach taken to pwn the machine.

Objectives

In this machine, we are tasked with completing three distinct stages: Reconnaissance, Gaining a Shell, and Privilege Escalation.

Reconnaissance

Let's start with the first step, reconnaissance. We begin by enumerating the ports using nmap:

nmap -F -T5 -sVC <ip_victim>

  • -F: Scans the top 100 ports.

  • -T5: Sets an aggressive scan speed.

  • -sVC: Runs basic scripts and gathers service information.

After running the scan, we discover the following:

Ports Open:

  • 22 SSH

  • 80 HTTP

With this, we have our first three answers.

Next, we visit the website at:

http://<ip_victim>:80

It looks like a normal webpage. We reviewed the source code and the robots.txt file, but no relevant clues were found.

Directory Enumeration

At this point, we proceed with directory enumeration using dirbuster.

dirbuster

After some time, we find the /panel/ directory, marking the end of the reconnaissance phase.

Gaining a Shell

Knowing about the directory, let's see what's inside.

It appears to be a file upload form. Let's try uploading a PHP reverse shell.

sudo vim php_reverse_shell.php

Remember to change the values in the //CHANGE THIS section to match our setup.

Before uploading, we set up a listener to catch the connection:

nc -lnvp 8888

We attempt to upload the file.

It seems to reject standard PHP extensions. Let's try .php5.

It worked! At the bottom, there's a button labeled "veja!" to open the file. Let's click it.

We are connected! Running whoami confirms we are logged in as www-data.

To find the user.txt file required in the task, we run:

find / -type f -name "*user.txt*" 2>/dev/null

  • -type f: Searches for files.

  • "user.txt": Matches any file containing this string.

  • 2>/dev/null: Suppresses permission errors.

Let's view the contents of user.txt.

With this, we complete the second stage.

Privilege Escalation

Finally, we need to escalate privileges to root.

First, we check if we can run commands with sudo:

sudo -l

No luck there. Let's check for SUID files:

find / -type f -perm -04000 -ls 2>/dev/null

Among the results, /usr/bin/python stands out. Let's check GTFOBins for potential exploits.

We find that running the following command should grant root access:

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

It works! We are now root. The last step is to find and read root.txt:

PreviousRootMeNextTechnical Report

Last updated