This lab involves getting a simple shell and privilege escalation on a vulnerable machine.

Step 1

From here we are going to deploy the virtual machine. Machine IP is

Step 2 – Reconnaissance

From here we are asked how many open ports are on the machine. We are going to utilize Nmap

Here we have two open ports. The Apache version is 2.4.29. SSH is running on port 22.

The next step we want to check for is any hidden directories. To do this, we will use the gobuster tool. The wordlist I am going to use will be from the Tools folder

We found some interesting hidden directories. The ones we want to focus on are the /panel and /uploads. With port 80 open lets navigate to the website

Navigating to the /panel directory, it looks like we have a spot to upload a file

With this ability, we are going to utilize pentest monkey  and upload a php shell

Downloaded the file and edited the option for host machine.

Upon testing /panel, it appears it wont accept .php files. I updated to a .php5 file. and made it executable.

With the executable now ready to upload, we are going to submit and navigate to the /uploads directory

Before we click to execute the file we will want to setup a listener with netcat.

We have a shell!

Now that we have the shell we are going to escalate privileges.

Step 3 – Privilege escalation

First thing we are going to do is search for files with SUID permissions using the criteria below

find / -user root -perm /4000

The odd file that sticks out is /usr/bin/python

Next we will want to find a form where we can escalate privileges. To do this we are going to navigate to GTFO bins.

We are going to utilize the command from