General, Info Sec 7-February-2017 .NetRussell One comment

Metasploitable2 (minus metasploit) – Mutillidae – CMD Injection – PRV Esc

So as some of my readers will know, I recently failed my first attempt at the OSCP certification. What many of you probably don’t know however is that I’m a competitor. Born from the flames of hell of Basic Training, was my hunger for competition and challenge. So clearly, I will NOT take this loss sitting on my ass (figuratively – technically I will).

 

Back on the Horse:

In the spirit of not wasting time, let’s jump into this machine and my first path to root on it in this series.

I decided to start with a softball. So I started with the Mutillidae server. Under the OWASP Top 10 there is a Command Injection example that is a pretty easy to get a limited shell on.

 

Once open, you’re presented with an input field that allows you to run DNS lookups on whatever IP you enter… how nice 🙂

 

I suspected that it was going to add slashes or sanitize the input somehow that you’d have to evade. However, if you just provide an input, and then provide a semicolon, you can run shell commands as the service’s user. When I run whoami I get the output of www-data for the logged in user.

Now this machine does have netcat installed. However, if the goal here is to learn, then using this to get a reverse shell isn’t very realistic. So instead I decided to run a python script that I found on pentest monkey’s reverse shell cheat sheet site. http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

 

When I run the above command I do indeed get a reverse shell on port 443. I used port 443 in case there’s a firewall. I assume that it will let traffic in and out over the web ports.

Once I have a limited shell I decided to try a simple privilege escalation path. Nmap has a mode called interactive mode that runs as root. Sure enough it was enabled on this machine and I was able to access it. As you can see when I run whoami through the interactive prompt I get the output root.

Since we already have a working reverse shell script we just need to modify it to run on a different port. Once I changed the port to 80, I ran it and it sent my attacking machine a reverse root shell.

 

That’s it! Not a bad way to get back in the game. I look forward to the next one. Now that I’ve failed, I’m extra motivated so you can expect more of these articles to come, quick and fast.

-Anthony

One thought on “Metasploitable2 (minus metasploit) – Mutillidae – CMD Injection – PRV Esc

  1. I see you don’t monetize dotnetrussell.com, don’t waste your traffic,
    you can earn additional bucks every month with new monetization method.
    This is the best adsense alternative for any type of website (they approve all
    websites), for more info simply search in gooogle: murgrabia’s tools

Leave a Reply

Your email address will not be published. Required fields are marked *