I am posting this question here due to this "Questions about approaches to penetration testing with Back Track are welcome." from the sticky. I must apologize slightly as I am still not an expert in this field but I have learned a lot. Also, I am doing this post from memory as the IT building is closed for the night and I can't look to see what was open etc...
I am a college student majoring in network security. On our lab report is a bonus which is to own a "mystery machine" and read a file that wouldn't normally be accessible remotely.
The mystery machine is one router away and is on the same subnet and dhcp client.
After hours of scanning and probing we have found:
OS: Back track 2
about 8 ports open.
The vulnerability is PHP based as he is running beef (not set up v.02 i think) and phpmyadmin (2.10.1)
It has apache running v 18.104.22.168
PHP v 4.4.4
tightvnc (could not find exploits for the version he is running and this has a java front end on port 641?)
We have used metasploit v3.2 and 3.3 for over 20 hours in an attempt to get a shell but the exploits have not worked.
Version 3.3 has a bug in it that prevents us from using the php cookie exploit involving zval? (do search -t exploit cookie to find it)
deserialize() is what should be exploitable. I know the config file uses this. Can anyone point me towards an exploit that is sure to work as long as I put in the write stuff. It doesn't have to be metasploit, bash and perl work. PHP scripts however I am not sure how to do yet and that may require a brief explanation as to how to launch.
I thank you ahead of time for any help. This is due by monday and I have tomorrow to work on it before I have to just type up what we have thus far and hope for pitty poitns.