Pentester Academy Command Injection ISO basilic 1.5.14 exploit


         Pentester academy has launched a Command Injection ISO virtual image of Ubuntu with lots of real world vulnerable application framework.

Refer the following link for download and information purpose:
https://www.vulnhub.com/entry/command-injection-iso-1,81/
http://www.pentesteracademy.com/course?id=12

Lab setup:
1) Kali linux (Bridged or NAT) . My Kali Linux Ip was 192.168.1.102
2) Command Injection ISO (Bridged or NAT). My target IP was 192.168.1.103

Login into command injection ISO with user name securitytube and password 123321 to check for the DHCP ip address allocated or simply do a ping scan (nmap -sn)

Checking out for port 80 on Command Injection ISO (192.168.1.103)



As seen above there are many framework installed for exploitation. I will be working with Basilic 1.5.14 in this blog.

Click on the basilic folder and you can see the following.



     Searching for exploit in exploit-db with searchsploit tool in Kali gave me a ruby exploit.



If the language is ruby then I guess it will be present in metasploit.
Searching for exploit in msf framework.


Configure metasploit as shown below:


Finally Exploit:


We have successfully exploited command injection vulnerability in basilic and got www-data privilege on the target.

Now lets us exploit it without metasploit.

Searching for exploit on internet I found the following URl http://www.securityfocus.com/bid/54234/exploit
 



http://www.example.com/basilic/Config/diff.php?file=%26cat%20/etc/passwd&new=1&old=2

Due to output encoding of SecurityFocus  it seems to be obfuscated. Actual exploit is as follows.

http://www.example.com/basilic/Config/diff.php?file=|cat /etc/passwd&new=1&old=2
  Using the above mentioned exploit for command execution.


We are able to execute system command using file parameter.
Let's get a reverse shell.


Got the Shell.





Comments

Popular posts from this blog

MY OSCP REVIEW

Minishare 1.4.1 Bufferoverflow

Port forwarding and pivoting