Serv-U
It has been identified that a Serv-U instance is present on the election host.
/Play/Election1/4-Post_Enumeration/attachments/Pasted-image-20250702002513.png)
Serv-U by SolarWinds is a secure file transfer server software designed for businesses to share files internally and externally. It supports FTP, FTPS, and SFTP protocols, enabling secure and compliant data transfers. Serv-U includes features like web-based file access, automation, and user permissions management. It’s commonly used by IT teams to maintain control over file transfers without relying on third-party cloud services.
Serv-U.service Service
www-data@election:/$ systemctl status Serv-U.service
systemctl status Serv-U.service
* Serv-U.service - LSB: Serv-U
Loaded: loaded (/etc/init.d/Serv-U; generated)
Active: active (running) since Sat 2024-08-03 05:42:02 IST; 10 months 28 days
Docs: man:systemd-sysv-generator(8)
Tasks: 6 (limit: 1115)
CGroup: /system.slice/Serv-U.service
`-1803 ./Serv-U -startservice
Aug 03 05:42:01 election Serv-U[1763]: Serv-U is starting...
Aug 03 05:42:01 election Serv-U[1801]: pid 001801, uid 0000 : Started (-startser
Aug 03 05:42:01 election Serv-U[1801]: pid 001801, uid 0000 : Terminated
Aug 03 05:42:01 election Serv-U[1803]: pid 001803, uid 0000 : Daemon Started
Aug 03 05:42:01 election Serv-U[1803]: Version Check. Running: 15.1.6.25, Availa
Aug 03 05:42:02 election Serv-U[1817]: pid 001817, uid 0000 : Started (-isrunnin
Aug 03 05:42:02 election Serv-U[1817]: pid 001817, uid 0000 : Stopped
Aug 03 05:42:02 election Serv-U[1763]: Serv-U is running
Aug 03 05:42:02 election systemd[1]: Started LSB: Serv-U.
Jul 01 23:37:34 election Serv-U[1803]: Version Check. Running: 15.1.6.25, AvailaChecking the Serv-U.service service reveals that this service is responsible for execution of ./Serv-U -startservice command in the process
www-data@election:/$ cat /etc/init.d/Serv-U
#!/bin/sh
# Serv-U
# Purpose : This shell script takes care of starting and stopping the Serv-U File Server
# Author : SolarWinds Worldwide LLC
# Contact : http://www.RhinoSoft.com/support
# RedHat, et.al. configuration:
# (runlevels 3 and 5)
# chkconfig: 35 80 30
# description: Serv-U File Server
# Debian, et.al. configuration:
# (runlevels 2, 3 and 5)
### BEGIN INIT INFO
# Provides: Serv-U
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 5
# Default-Stop: 0 1 4 6
# Short-Description: Serv-U
# Description: Serv-U File Server
### END INIT INFO
RETVAL=0
SERVERPATH="/usr/local/Serv-U"
SERVERNAME="Serv-U"
checkaccess() {
# exit if we are not root user
if [ "`id -u`" -ne 0 ];
then
echo "That action requires root level access"
exit 4
fi
}
case "$1" in
start)
checkaccess
cd "$SERVERPATH"
"./$SERVERNAME" -isrunning
if [ $? -eq 1 ];
then
echo "Serv-U is already running"
else
echo "Serv-U is starting..."
"./$SERVERNAME" -startservice
sleep 1
"$0" status
fi
;;
stop)
checkaccess
cd "$SERVERPATH"
"./$SERVERNAME" -isrunning
if [ $? -ne 1 ];
then
echo "Serv-U is already stopped"
else
echo "Serv-U is stopping..."
"./$SERVERNAME" -stopservice
"$0" status
fi
;;
status)
cd "$SERVERPATH"
"./$SERVERNAME" -isrunning
if [ $? -eq 1 ];
then
echo "Serv-U is running"
else
echo "Serv-U is stopped"
fi
;;
restart)
checkaccess
"$0" stop
"$0" start
;;
*)
echo $"Serv-U Usage: Serv-U {start|stop|restart|status}" >&2
RETVAL=5
;;
esac
exit $RETVALSERVERPATH is set to /usr/local/Serv-U
/usr/local/Serv-U Directory (SERVERPATH)
/Play/Election1/4-Post_Enumeration/attachments/{A79C2EB2-DA1B-4CEC-BF12-09953CFDA4E5}.png)
Checking the Serv-U directory
Log
www-data@election:/usr/local/Serv-U$ cat Serv-U-StartupLog.txt
[01] Sat 03Aug24 05:42:01 - Serv-U File Server (64-bit) - Version 15.1 (15.1.6.25) - (C) 2017 SolarWinds Worldwide, LLC. All rights reserved.
[01] Sat 03Aug24 05:42:01 - Build Date: Wednesday, November, 29, 2017 11:28 AM
[01] Sat 03Aug24 05:42:01 - Operating System: Linux 64-bit; Version: 5.4.0-120-generic
[01] Sat 03Aug24 05:42:01 - Loaded graphics library.
[01] Sat 03Aug24 05:42:01 - Unable to load ODBC database libraries. Install package "unixODBC" to use a database within Serv-U.
[01] Sat 03Aug24 05:42:01 - Loaded SSL/TLS libraries.
[01] Sat 03Aug24 05:42:01 - Loaded SQLite library.
[01] Sat 03Aug24 05:42:01 - FIPS 140-2 mode is OFF.
[01] Sat 03Aug24 05:42:01 - LICENSE: Running beyond trial period. Serv-U will no longer accept connections.
[01] Sat 03Aug24 05:42:01 - Socket subsystem initialized.
[01] Sat 03Aug24 05:42:01 - HTTP server listening on port number 43958, IP 127.0.0.1
[01] Sat 03Aug24 05:42:01 - HTTP server listening on port number 43958, IP ::1The log file reveals the version information 15.1.6.25
It also shows that it’s running on the port 43958, which was also flagged by PEAS
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ searchsploit Serv-U 15.1.6.25 130 ⨯
------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------ ---------------------------------
Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1) | linux/local/47009.c
Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2) | multiple/local/47173.sh
------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsServ-U 15.1.6.25 suffers from a RCE vulnerability; CVE-2019-12181
Moving on to the Privilege Escalation phase.