- Target: 10.10.10.68
- Goal: Root access
Port Scanning
nmap -p- -A 10.10.10.68

- Port 80/tcp: Apache httpd 2.4.18
Enumeration
Directory scan using gobuster
gobuster -u http://10.10.10.68/ -w common.txt -s "200,204,301,302,307,401,403" -x "txt,html,php,jsp"

First browse around the website and follow the links. Does not find anything of interests.

Then I check the folders found by gobuster and notice couple interesting files (phpbash.php & phpbash.min.php) in the /dev folder.

Click on phpbash.php bring up web version of a bash shell.

Nice. This allows you to execute commands as user www-data. And with this capability, I quickly found that the /uploads directory is world writable.
Exploitation
I am going to upload a php reverse shell to /uploads folder and then I can run it through the browser. So I make a copy of the reverse shell, update the ip address and port # and then setup a webserver to serve the file

Now setup a Netcat listener
nc -lp 4000
Upload the shell file to target system’s /uploads folder

Browse to the reverse shell page at http://10.10.10.68/uploads/p.php

Obtain a limited shell as user www-data. Pretty straight forward.
Privilege Escalation
sudo -l reveals that I can perform sudo command as user scriptmanager

With this sudo ability, I can receive a bash shell as user scriptmanager. But using that to search around the system does not find any additional useful information. After searching around the system without success for quite a while, I turn to see if there’s any kernel exploits.
Check the OS version shows that it’s Linux 4.4.0-62 generic, 64-bit

searchsploit kernel 4.4
This brings up a few possible exploits. I tried a few of them, either doesn’t work or receive a root shell but would crash the system soon after. Until I try the exploit 44298.c

Since the target system is 64-bit, I use -m64 flag to compile the file. Then I upload it to the system and try it:

This one worked great. Received root shell.
Capture the Flag
Check out user arrexel‘s home page for user flag and root‘s home page for root flag.


That’s it.
Afterword
I usually read others’ walkthrough/writeup after I finish a box to learn things that I missed. I found that others obtain root access through the /scripts folder as user scriptmanager.
I actually did become scriptmanager using sudo command and looked at the /scripts folder for a while. However, when I looked at the test.txt file and the timestamp showed it’s updated like 3 hours ago. So I thought there must be another member working on the system and poking around the script. And didn’t realize it’s a cron job running it and the time difference was actually due to time zone. lol
That /scripts folder definitely was suspicious. I should be more careful and pay more attention to out of place stuffs. ;p