Upload
Task 1 - Deploy the machine
Install docker.io (if you do not already have it installed) -> sudo apt install docker.io
Download machine from DockerLabs website and setup lab:
unzip trust.zip
sudo bash auto_deploy.sh upload.tar
and we obtained IP machine -> 🎯 Target IP: 172.17.0.2
We can put the IP in the file to associate it with an easier to remember name:
Create a directory for machine on a dedicated folder and subdir containing: nmap,content,exploits,scripts
Task 2 - Reconnaissance and Exploitation
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system, while Windows systems usually have a TTL of 128 secs.
2.1 Ports in listening and relative services
Of course, we start looking for information about our target by scanning the open ports with the nmap tool
There's only one open port (80), analyze it searching more info about service version and potential vulns:
command | result |
---|---|
sC | run default scripts |
sV | enumerate versions |
A | aggressive mode |
Pn | no ping |
oN | output to file with nmap formatting |
Focusing on port 80 we have a web server so by running the whatweb command we extract more information and then display the content via the browser
Let's display the default Apache page, try analysing the source page with CTRL+U
But we don't discover nothing of interisting.
2.2 Brute force hidden web directory
Now, we try to find potential hidden directory using gobuster:
We find a 301 status code (redirect), that contains file uploaded using form of index page.
2.3 Upload shell
Trying to upload php file I notice that there is no trace of sanitization, so we have a clear path and we can use a backdoor or a reverse shell in php. In my case I opt for a reverse shell, specifically I use the one present on Kali usually at the path: /usr/share/webshells/php/php-reverse-shell.php
I copy it, assign it execution permissions and modify it by inserting my local IP (kali) and port where we will listen with netcat
Well, now we have the exploit ready, we load it using the form in the index page
We listen with netcat on the set port '1234': nc -nvlp 1234
and click on the php-reverse-shell.php file to establish a connection on our machine
Task 3 - Privilege Escalation
Now that we are inside, since we are not root user we need to elevate our privileges, so let's check the current permissions using sudo -l
We see that mario user has root permissions for /usr/bin/env, then we can use gtfobins to find it.
using vim sudo command, we obtain a root permission sudo env /bin/sh
Last updated