rConfig 3.9.6 exploit metasploit githubIf this exploit did not show up in the MSF search, we can copy the code from this repo onto our local attack box and save it in the directory that our local install of MSF is referencing. To do this, we can issue this command on our attack box:
locate exploits
We want to look for the directories in the output associated with Metasploit Framework.
/usr/share/metasploit-framework/modules/exploits
We can copy the code into a file and save it in /usr/share/metasploit-framework/modules/exploits/linux/http similar to where they are storing the code in the GitHub repo.
If we copy it into a file on our local system, make sure the file has .rb as the extension. All modules in MSF are written in Ruby.
Select an Exploit
use exploit/linux/http/rconfig_vendors_auth_file_upload_rce
When we drop into the system shell, we notice that no prompt is present, yet we can still issue some system commands. This is a shell typically referred to as a non-tty shell .
These shells have limited functionality and can often prevent our use of essential commands like su (switch user) and sudo (super user do), which we will likely need if we seek to escalate privileges.
This happened because the payload was executed on the target by the apache user. Our session is established as the apache user. Normally, admins are not accessing the system as the apache user, so there is no need for a shell interpreter language to be defined in the environment variables associated with apache.