Well, let's start the hacking...
Using Nmap to find out our target machine... you will know the IP address of the target box when you see a strange IP there... In case you forgotten your own interface IP, you may check using 'ifconfig' in Linux...
Target's IP address found...
Next thing to do is proceed with our reconnaissance step...
Some ports are open and running with services... here we have SSH, HTTP, RPC, HTTPS, IPP, and MYSQL...
Let's try reconnaissance HARDER!
After we got a deeper look into the box, let's see what is in the website...
By opening up the target's website with Iceweasel, we are brought to a login page...
Results of reconnaissance stage earlier told us that this box is running a MySQL service, so we tried to login using sql injection and we got ourselves in...
Now, we have brought to a page which claim to be a a web console for the admin...
We try input a expected input, which is a ip address and see how it responded...
The page responded with ping command which seems legit...
Hmmm.... what if we input some other command which is not intended to be? (:
Note: Input a semicolon ";" in front so that the command before the semicolon will terminate and continue proceed to the command after the semicolon...
At least we now know this input is not sanitized... :))
Next thing to do is to create a PHP reverse shell payload...
Kali Linux has several webshells stored in /usr/share/webshells which are a very great resources...
To avoid messing up with the real payload, we copy the payload into another folder so that the original payload remained unchanged...
Check out the content of the php payload, and we notice that we have to change the listening IP address and listening port...
In this case, the listening IP address will be our client box and I use port 443 as my listening port as port 443 is unlikely blocked all the time...
After made the changes in the PHP payload, I rename the payload to a shorter name for convenience purpose...
Then we cat out the PHP payload content and pipe out to our listening port at 443...
Then we may switch back to the webpage and grab the content from our client listening IP address at listening port at 443 and output it into a file to be stored inside the target box...
Start listening on port 443 in our client using Netcat...
While listening on port 443 in our client machine, now we launch the PHP payload landed in our target box earlier to establish a reverse-shell back to our client...
After we get a shell on the target box, we need to escalate our privilege from Apache user to root... which is the ultimate goal of the challenge...
So, we started searching the local exploit for Linux running with Kernel 2.6...
After we found one suitable exploit ( you may still try some other available exploit too...), copy the exploit code file into our Apache server...
Next, we back to our shell in target box...
Grab over the exploit code file, which is hosting in our Apache web server right now using the wget command and store the output in /tmp folder in target machine...
Compile the exploit and run it...
Now, we just got another shell with root privilege... ;)
No comments:
Post a Comment