General, Info Sec 7-February-2017 .NetRussell No comments

Metasploitable2 (minus metasploit) – Mutillidae – CMD Injection – PRV Esc

So as some of my readers will know, I recently failed my first attempt at the OSCP certification. What many of you probably don’t know however is that I’m a competitor. Born from the flames of hell of Basic Training, was my hunger for competition and challenge. So clearly, I will NOT take this loss sitting on my ass (figuratively – technically I will).

 

Back on the Horse:

In the spirit of not wasting time, let’s jump into this machine and my first path to root on it in this series.

I decided to start with a softball. So I started with the Mutillidae server. Under the OWASP Top 10 there is a Command Injection example that is a pretty easy to get a limited shell on.

 

Once open, you’re presented with an input field that allows you to run DNS lookups on whatever IP you enter… how nice 🙂

 

I suspected that it was going to add slashes or sanitize the input somehow that you’d have to evade. However, if you just provide an input, and then provide a semicolon, you can run shell commands as the service’s user. When I run whoami I get the output of www-data for the logged in user.

Now this machine does have netcat installed. However, if the goal here is to learn, then using this to get a reverse shell isn’t very realistic. So instead I decided to run a python script that I found on pentest monkey’s reverse shell cheat sheet site. http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

 

When I run the above command I do indeed get a reverse shell on port 443. I used port 443 in case there’s a firewall. I assume that it will let traffic in and out over the web ports.

Once I have a limited shell I decided to try a simple privilege escalation path. Nmap has a mode called interactive mode that runs as root. Sure enough it was enabled on this machine and I was able to access it. As you can see when I run whoami through the interactive prompt I get the output root.

Since we already have a working reverse shell script we just need to modify it to run on a different port. Once I changed the port to 80, I ran it and it sent my attacking machine a reverse root shell.

 

That’s it! Not a bad way to get back in the game. I look forward to the next one. Now that I’ve failed, I’m extra motivated so you can expect more of these articles to come, quick and fast.

-Anthony

Leave a Reply

Your email address will not be published. Required fields are marked *