../
offsec shakabrah writeup
Machine Info
- Name: Shakabrah
- Description: Surf’s up!
- Difficulty: Easy
Initial Access
Nmap:
# Nmap 7.94SVN scan initiated Fri Feb 16 14:56:22 2024 as: nmap -sC -sV -v -p- -o nmap --min-rate 1000 192.168.204.86
Nmap scan report for 192.168.204.86
Host is up (0.046s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 33:b9:6d:35:0b:c5:c4:5a:86:e0:26:10:95:48:77:82 (RSA)
| 256 a8:0f:a7:73:83:02:c1:97:8c:25:ba:fe:a5:11:5f:74 (ECDSA)
|_ 256 fc:e9:9f:fe:f9:e0:4d:2d:76:ee:ca:da:af:c3:39:9e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb 16 14:58:34 2024 -- 1 IP address (1 host up) scanned in 132.27 seconds
Visiting the webpage:
I instantly lean towards command injection:
From here I attempt to send myself a shell over 443 (my usual revshell port) but that doesn’t work because of firewall, so instead I send myself a shell over 80:
We got a shell!
Privilege Escalation
I check suid:
I see vim:
best, gerbsec