Katana:1 PGP Workthrought

考虑了很久，还是决定把英文的报告放上来供大家加参考，毕竟参加OSCP证明是需要英文报告的，不练习英文确实过不了，以后大部份报告会以英文报告形式发出，不会有难词，都是简单词，有小学水平就能看懂 ，如果有懂英文的码友，非常欢迎指出我的语法错误

Scanning

Using nmap to begin with basic port scanning on the target machine .

In addition , remeber to use -p- option to scan all the ports of the machine , if you may lost something important .

80,8088,8715 port

When I use dirseach to try toget something , but there is only a index.html page with a picture of katana in the webserver .

However , there is an interesting upload form available on port 8088 .

And our upload file has been renamed to katana_shell and moved to other webservice .

22 port

I try to log as anonymous , FTP and USER but lose . So I think there may be nothing we can do to exploit the mathine .

Shell As WWW

As we find at port 8088 , I upload a php webshell which is provide by kali . Finally find that film at port 8715 and excute it successfully .

Shell As root

Tring

Merely out of curiosity ,I want to know the service runing on the port 80 and 8715 , as I don't believe ports 80 and 8715 are running nothing .

Surperisedly, I find a path ebook which is proved exploitable and it is running as root ! So I use the way I used in FunboxEasy but lost . This site seems disallow me to upload cover .

I use ps -ef and find apache2 is running by www-data and the web upload path is created by root , so we don't have the priviledge to save files to /ebook path . Instead of that , If I upload files successfully , when I excute that file , I can just shel as www .

And then I moved to /opt/manager/html and find there is nothing actually except the files I uploaded .

Privilege Escalation

I use getcap to find some process with suid capabilities

/usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/python2.7 = cap_setuid+ep

And I take advantage of the poc servered by python | GTFOBins

python -c 'import os; os.setuid(0); os.system("/bin/bash")'