I tried to see if there are any interesting processes, files, cron jobs and if there are any exploitable SUID binaries but of course this wasn’t the case since it’s mostly a clean install. However, this shell is really limited as it runs as “apache” user and with selinux enabled, it’s crippled. Uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0 Now I start my listener and access the php script from the browser and I get this: nc -lvp 80 Didn’t work at first until I realized I have to change the listener on my host to port 80 or 443 because the firewall on the virtual machine prevented outbound traffic on most of the other ports. So I just uploaded a reverse php shell script (I used ). So my imagined scenario is this: would it be possible to gain root privileges starting from a vulnerable web application? Let’s assume an attacker already managed to upload a script to the server. The services that I got running are the following (with mysql only accessible from localhost): 22/tcp open ssh OpenSSH 4.3 (protocol 2.0)Ĩ0/tcp open http Apache httpd 2.2.3 ((CentOS)) I’ve chosen CentOS-5.0 and downloaded the image from this location: $ uname -r I’ve looked into Metasploitable and Damn Vulnerable Linux (but those were a bit artificial), so I’ve chosen an old Linux image (Centos) version with the hopes that it will be easy to exploit and a good playground for exercising my skills.
![upload exploit suggester to local upload exploit suggester to local](https://www.fatalerrors.org/images/blog/aa06687c34cc168923576e9ac4c18936.jpg)
I’ve been working on this project for the past month trying to hack into a Linux box I’ve installed in a Vmware machine. I have always been interested in infosec but lately I’ve been reading a lot about topics like network security, penetration testing, reverse engineering with the objective that I’ll change careers to something more security-focused.
![upload exploit suggester to local upload exploit suggester to local](https://mrreh.com/wp-content/uploads/2020/04/Screenshot-20200416204546-1014x315-1-768x239.png)
Local privilege escalation from a limited shell with selinux enabled on an old Linux box