search

Priv Escalation

There seems to be a mysql service running on local host

══════════╣ Active Ports
β•š https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::8295                 :::*                    LISTEN      -                   
tcp6       0      0 :::8080                 :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::5432                 :::*                    LISTEN      -                   
tcp6       0      0 :::25                   :::*                    LISTEN      -

Other interesting files 

www-data@banzai:/var/www$ cat config.php
cat config.php
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'EscalateRaftHubris123');
define('DBNAME', 'main');
?>
www-data@banzai:/var/www$

Once we have credentials for an internal database we can start enumerating whether it is vulnerable to UDF Privilege Escalation method.

The exploit basically creates a function that executes commands as root.

Logometasploit-framework/data/exploits/mysql at master Β· rapid7/metasploit-frameworkGitHubchevron-right

Depending on the system we download the 32 or 64 bit .so file.

And we have root.

PreviousExploitation

Last updated