Task 4- Privilege Escalation To look for the files with SUID permission we can use the command:įind / -type f -user root -perm -4000 2>/dev/null #4.1 Search for files with SUID permission, which file is weird? The find command was quite useful and located the user.txt file pretty easily for us saving us time to manually search the flag’s location. The above commands will let you now autocomplete by TAB, clear screen, navigate around the shell easily. $ python -c ‘import pty pty.spawn(“/bin/bash”)’ How do we get a stable shell? Let me show the way. Now we have to gain shell by executing the uploaded script in the /uploads/ directory.Įxecute the script and check back to see your netcat listener. I am using 9001 port and I have already inserted the same port alongside the host IP of my machine in the script that we uploaded. Leading to our next step, we will start a listener on netcat. We have successfully uploaded the script. Mv php_reverse_shell.php php_reverse_shell.phtml To further understand File Name Bypass, see the exhibits below: We will rename the script using the command: Therefore we will try to bypass the upload by changing the file extension. Upload failed!! This is because php is not allowed to be uploaded. We will proceed furthur and upload the script. Open the script in editor and change the $ip and $port to your host machine’s IP and port you want to listen on.
Git Link to download the script or clone in terminal : Make your php-reverse-shell script executable by using the command :
I frequently use pentestmonkey php-reverse-shell.php script to try to gain a reverse shell using netcat. We can upload a file in the /panel/ directory.įor this task we will upload php reverse shell script.
Navigate to URL Its always good to check the source code of the page for any interesting information laid out that could be helpful in our enumeration process.Īs you can see nothing is interesting in the source code for us so we will start looking into the directories found in gobuster. Find directories on the web server using the GoBuster tool.