/dev
which could be interesting. Navigating to this page shows us a file phpbash.php
which gives us a php terminal as the www-data
user in our browser:sudo -l
for quick wins. This command shows us that we are able to run any command as the user scriptmanager
:tty
session. We can do this with python like so:reset
and before you export the TERM
variable. simply enter xterm-256color
and proceed as normal.clear
and tab completion:scriptmanager
using sudo
:scriptmanager
user, let's take a look and see what we can do with this level of access. To start we'll check the root directory and list it's contents. In here we see that we are able to read, write, and execute in a directory called scripts
. Inside of this directory lies two files, test.py
and test.txt
. What's interesting here is that scriptmanager
owns test.py
and root
owns test.txt
:test.py
:test.txt
in the current directory, writes testing 123!
and closes the file. Knowing that the file test.txt
is owned by root
, we can assume that the root user is executing this script on some schedule. This makes this an easy task for us, because all we need to do is insert a reverse shell into this script and wait for it to be executed as the root
user. To do this we will use the same logic as our first reverse shell, but because this will live in an actual python script we can clean up the syntax. After modification this is what test.py
looks like:4444
we only need to wait about a minute and our script is executed as the root
user. This gives us the ability to read the root flag: