Vulnhub – Easy Cloudantivirus Walkthrough

We start by scanning the host with nmap –A –T4 –p- 192.168.1.20 –vv

Opening the page http://192.168.1.20:8080

I’m going to use BurpSuite to brute force the code:

Then send the output to the intruder and use rockyou.txt as our password list:

And the code is ‘password’ we could’ve guessed it, but any way we got it and we login with it:

Time to upload a shell to the target with BurpSuite, i chose to scan the file python

Then send this to repeater and put the python shell:

While we put our listening port ready, we got a shell:

In home directory of user scanner there is a file update_cloudav.c

And after searching for a bit i found this LINK talking about how this line is vulnerable sprintf(command, “%s %s”, freshclam, argv[1]);

Now to run this script we can run it along a shell to our machine, i tried a lot of syntax and finally it worked:

./update_cloudav “hacker|./shell.sh” and then the listening port which is 3333 got a shell back as root

 That’s it now flag to catch as root.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s