Haircut - 10.10.10.24
Poorly configured php file located at exposed.php allows user to output files to uploads directory and call them via the web browser to gain a low privilege shell.
Privilege Escalation Vulnerability:
GNU Screen 4.5.0 - Local Privilege Escalation
Replicating the exploit:
Homepage of web application
Test.html found by nikto:
Searchsploit found nothing
Dirbuster found exposed.php
Looks like it uses curl to get the files so command injection may be possible to get a reverse shell.
Command injection did not work so tried to output my rev shell to a file in /uploads as dirbuster found.
Requesting the file gave me a low priv user as www-data.
User.txt : 0b0da2af50e9ab7c81a6ec2c562afeae
Now we need a stable shell
Navigate to /dev/shm
python3 -c 'import pty;pty.spawn("/bin/bash")’
stty raw -echo
Run privchecker scripts found nothing
Suid search gives version of screen
Review of the exploit
Best to compile manually and locally so create rootshell.c
Upload to /tmp on haircut.
Navigate to /etc
Run the following commands to get root
NC listener on 444 should give you a root shell.