Web Application and Local Privilege Escalation Exploit – The test image can be downloaded here: http://21ltr.com/scenes/
Doing a port scan on the target reveals that several ports are open including an HTTP port. Upon browsing to the target website and looking at the HTML source, it seems that a commented line containing an account credential is available. A successful FTP login was made using the credentials and the file backup_log.php was downloaded.
Using DirBuster, the logs directory was discovered. Trying backup_log.php as a possible page yields a positive result. There seems to be an event that happens every ten minutes as shown from the backup error logs. The attacker changes his IP address to that of those in the logs and wait for the ten minute mark to again run a port scan. The attacker’s patience paid off, a new port-10001 is revealed and not knowing what service is running, a netcat connection was initiated to try and probe the service. After several tries, it would seem that netcat input are written on the page.
A line of PHP code was then written that would allow for command execution on the target machine with the privileges of the webserver. A netcat listener was set up on the attacker’s machine that would catch the connection request from the target machine initiated by the attacker, this allows for a reverse shell to be available for the attacker.
The attacker queries what version of Linux the machine is running and tries to find a suitable local privilege escalation exploit to use. A possible exploit was found in BackTrack’s local copy of ExploitDB. The attacker writes a small script that when run on the target machine, would try to force a reverse shell connection on the attacker’s machine.
The exploit was compiled locally and both the shell script and the exploit were uploaded to the target machine using wget. The exploit executes-running the shell script with root privileges, which in turn connects to the netcat listener on the attacker’s machine providing him with a reverse shell with root privileges.