Image for post
Image for post

Target Experience:

My observations while working this target:

Tools:

The recommended tools for this machine were:

Vulnerabilities:

The following vulnerabilities were found:

Information Gathering:

Using Nmap, I performed a SYN scan on all TCP ports for service version detection as well as default safe scripts.

Image for post
Image for post
Nmap Scan
Image for post
Image for post
Gobuster Scan
Image for post
Image for post
Nikto Scan

Web Enumeration:

Reviewing the findings from the scans, I performed a manual inspection of the TCP Port 80 web server.

Image for post
Image for post
Default Web Page
Image for post
Image for post
Default Web Page Source
Image for post
Image for post
/backup Directory
Image for post
Image for post
/uploads Directory
Image for post
Image for post
uploads.php

Foothold:

After exploring the other files, I decided to return to the website to further investigate the files found within the backup file.

Image for post
Image for post
photos.php
Image for post
Image for post
/uploads/ Directory
Image for post
Image for post
uploads.php
Image for post
Image for post
PHP Reverse Shell
Image for post
Image for post
Successful Upload
Image for post
Image for post
Validated Upload
Image for post
Image for post
Executed PHP File
Image for post
Image for post
Connected Shell

Privilege Escalation — User:

With the foothold established, I decided to upgrade the shell prior to completing any enumeration.

Image for post
Image for post
Upgraded Shell
Image for post
Image for post
check_attack.php
Image for post
Image for post
crontab.guly
Image for post
Image for post
Payload Creation
Image for post
Image for post
User Shell
Image for post
Image for post
User Flag

Privilege Escalation — Root:

Having an established user shell, I reviewed the contents of the sudo list to determine if the user could launch privileged commands.

Image for post
Image for post
Sudo List
Image for post
Image for post
changeme.sh
Image for post
Image for post
Escaped Script: Root
Image for post
Image for post
Root Flag

References:

https://xapax.gitbooks.io/security/content/bypass_image_upload.html

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store