From: Paul Melson (pmelson@gmail.com)
Date: Thu Feb 22 2007 - 11:26:42 EST
> We are pen-testing a couple of a company webserver that hosts something
like many thousand websites. We
> got a shell working through a remote file inclusion vulnerability we
found. We are in but there seems to
> be no apps we could "use" to gain a root escalation from the local
low-priviledges shell. OS is centOS
> 4.4 and kernel is 2.6.9-42.0.3.ELsmp. Do you have any ideas to gain a root
escalation over this
> OS/kernel configuration?
An easy thing to do would be to configure Nessus local scans (they have a
CentOS category I believe) with your shell configuration and have Nessus ssh
into the box and check for unpatched vulns. That should take all of 10
minutes and might yield an unpatched local root.
Next step might be 'find / -type f -perm -4000' and start overflowing
command line arguments until something segfaults.
There are usually lots of ways to get root from a local shell, especially if
the box hasn't been hardened from its default configuration. Try and figure
out what cron jobs run, what files they touch, look at /tmp, etc.
PaulM
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:36 EDT