Hi all, let’s pwn this box.
You can find the machine there > Katana
Let’s start as always with a nmap scan.
1 |
|
Lot of ports, i did enumeration on every port and i found an interesting upload function on port 8088
, let’s run gobuster
.
1 |
|
Lets upload a shell.
When we upload a shell gives us this message :
Moved: /tmp/phpm2yZ8a ====> /opt/manager/html/katana_shell.php
If we try to execute this file says not found
.
1 |
|
I coded a bash script for that, to search where the shell is.
1 |
|
& one-liner
1 |
|
And we have shell!
1 |
|
We can privesc to katana
user really easy, at his directory has the password.
1 |
|
Now for root privesc, is a really interesting way, through capabilities!
Linux capabilities are something like the SUID, but can limit user’s permission and much more!
Let’s scan the file system for files with capabilities with getcap
1 |
|
Bingo! python2.7
has the cap_setuid
, let’s exploit it!
1 |
|
Easy one, See you!