I started from discovering the host (used netdiscover -r range to do that):
After the scan I saw that we have 3 (TCP) ports open here:
80/tcp open http syn-ack Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
777/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5 (protocol 2.0)
Ok, we will not try rpcbind and ssh for now. Let's try with HTTP:
Cool. Next thing was checking dirs (dirb) to looks for something interesting:
I saw that there is a /phpmyadmin/ directory so I started to think that maybe we should use some PMA vulnerability to get inside the host... Let's try the WWW:
So - I thought - maybe it's a new directory, hidden somewhere on the WWWroot...
Ok, good. Another form. I tried to put there some injection tests:
Of course. :) Let's find some config.php/install.php or other file where we can find some juicy info...
Ok, password for the root user! Great! Maybe we can use it now:
Not yet. :) Next - check what else is inside the DB. We can find more users there:
Great, let's check the password for phpmyadmin user:
Cool! When I saw this I new that there is a way to upload shell via phpmyadmin... but unfortunately I wasn't able to do that (via phpmyadmin user), so I decide to grab sqlmap again, and get more DB-data. And that's how I found that the root user has the same password as phpmyadmin user. Let's check if we can log in as root now:
Sure we can. :) Now I started to thing about raptor_udf exploits or maybe some webshell uploading... I started with some simple test:
Hm... Am I right? :)
Looks like we're in :)
Yes, you're right. It's time for reverse shell!
Quick review of the files located on the WWW:
Ok, cool. But let's switch to python's pty:
So now I was thinking about running raptor_udf sploit. You can find it on google:
Ok, seems like we've got euid = 0. To be sure for that: