keith / March 13, 2017,178/

This is my first so be gentle.

After boot up I ran Zenmap

Browsing around the website we see that the URL looks interesting:


I tried SQL map as the port 3306 was opened during the scan but that did not work. I then tried to read files since it showed the .php in the url.

That resulted in some interesting info:


I tried the etc/shadow file but that did not show as I am sure permissions were denied. Looking through the passwd file I noticed:

backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/

in viewing that script:


Interesting : /backups/backup.tar

A little: curl  index.php?page=../../../..//backups/backup.tar  > backup.tar

it errors out at the 6 gig mark (GULP)  and the file is corrupt but with some luck we can get something

cpio -ivd -H tar <  backup.tar

This gave me some nice home directories. In the Paul home directory there is a folder called keys:


I started trying them all and hit pay-dirt with id_key4

ssh -i id_key4

What is this???

I started messing around and looking at files. Looking at the admin.php file resulted in that whole vector not really doing anything. It is just a way to waste time:

Now to try to get a reverse shell so I can get a console. Using this Pdmenu I tried creating files as it use VIM. Looks like Paul does not have write access to /var/www/html.  But he does to /home/paul/

lets use this Pdmenu to create a test file in his home directory then see if our site can view it. I create /home/paul/test.php that contained




Saved it and tried to reach it and:


After messing around and learning about Pdmenu I found the config file in /home/paul/.pdmenurc

Using the menu I was able to edit the file and add my own bash shell

Now exit VIM and Pdmenu and reconnect to SSH

and pick bash

After playing around a bit I could not find anything.  So I ran

This gave a tone of info, but right at the top:

WARNING: /etc/cron.weekly/man-db is run by cron as root. /etc/cron.weekly/man-db contains the string /proc/self/status. The user paul can write to /proc/self/status


This sounds like something I have worked with before….  a quick google search “proc self status linux exploit” and there it was Dirty Cow.

download, compile, run…



This was fun. Thank you



Leave a Reply

Your email address will not be published. Required fields are marked *