Today we are working on Katana 1, a boot-to-root rated Intermediate difficulty by creator SunCSR Team. Let’s get started.
Initial Enumeration
We start with our nmap scans.
We have a number of ports open. I first tried ftp, ssh, and smb, but didn’t get anything useful, so I moved on to the various http ports that nmap discovered.
Port 80
A Dirbuster scan of the Apache web server at port 80 revealed folder /ebook, which is a bare-bones e-commerce site. I didn’t find anything immediately interesting, so I moved on.
Port 7080
I found nothing useful on the LiteSpeed webserver at port 7080.
Port 8088
A Dirbuster scan of the LiteSpeed server at port 8088 revealed an interesting file, /upload.html.
The page lets us upload a file, so why not try our favorite php reverse shell from pentestmonkey? We select our file, click “Submit Query”, and get a confirmation.
I then tried to access the uploaded file “katana_php-reverse-shell.php”, but didn’t have any luck. We’ll come back to this shortly.
Port 8715
I couldn’t find anything useful in multiple Dirbuster and Gobuster scans of the nginx webserver at port 8715. With nothing else apparent for http enumeration I thought I would try to access the php reverse shell I uploaded to the webserver at port 8088 on one of the other servers. I launched my netcat listener and tried port 8715.
We get a shell as user www-data!
My next step was to attempt to escalate to a higher-privilege user. Moving to /home, we see there is one user, katana. That is a really interesting world-readable file right in katana’s home directory.
Those creds don’t actually work for ssh, but there is another simple option.
We switch user to katana, improve our shell, and now we can attempt to get root.
Root escalation
One of the first things I checked for root privesc was /etc/passwd. Let’s just say something jumped out at me.
Yeah, that’s the root password hash for all to see in /etc/passwd. That said, I was not successful in cracking the hash using john and rockyou.txt. Maybe I need a better password list (and a faster computer).
Moving on, I ran linpeas.sh, my favorite privesc script. Linpeas noted that /usr/bin/python2.7 has capabilities set. The setuid capability will allow us to adopt the role of the file owner, which in the case of /usr/bin/python2.7 is root.
We exploit the capability with a simple python script that sets the uid to 0 (root) and launches a bash shell.
We got our root shell! Thanks for reading!
