sudo nmap 10.10.82.240
sudo nmap -A -p 10.10.82.240
Enumeration
SMB
SMB is likely to reveal more information because it is often misunderstood and poorly implemented.
We find a unix user called Bill.
SSH
We can use this information to conduct a dictionary attack on Bill's password on the Linux machine
It fails!
HTTP
The websitre at port 3128 is not accessible.
The website at port 3333 is accessible. So we can perform a page enumeration process over that url.
The /internal page is an upload interface. We need to determine which file extensions are accepted, and Burp Intruder will assist us in identifying valid uploadable extensions.
Exploitation
The server accepts .phtml files, so we will create a reverse shell using this extension.
We upload this file and then access to it after opening the netcat listener.
We can then get a stable shell. doing the following procedure.
Privilege Escalation
We can search for all files with the SUID bit set, and we find quite a few.
Systemctl command is listed. As we know thi command require a sudo right to be executed, we can use GTFOBINS to find a script which will allow us to elevate our privilege.
The systemctl command is listed. Since this command requires sudo privileges to execute, we can use GTFOBINS to find a script that will allow us to elevate our privileges
