Katana VM is made by SunCSR Team. This VM is a purposely built
vulnerable lab with the intent of gaining experience in the world of
penetration testing. It is of intermediate level and is very handy in order to
brush up your skills as a penetration tester. The ultimate goal of this challenge
is to get root and to read the root flag.
Since these labs are available on the Vulnhub Website. We will be
downloading the lab file from this link.
Penetration
Methodologies
Network Scanning
·
Netdiscover
·
Nmap
Enumeration
·
Browsing HTTP Service
·
Directory Scanning (Dirb)
Exploiting
·
Uploading
PHP Reverse Shell
Privilege Escalation
·
Capability
Walkthrough
Network
Scanning
Let’s start by scanning the network for targets using Netdiscover.netdiscover
We found the target IP Address 192.168.1.119. Let’s begin with basic port scanning with NMAP.
nmap -p- -A 192.168.1.11
Enumeration
For more details, we will navigate to a web browser for exploring HTTP service since port 80 is open. It clearly is not enough for a clue to proceed.
Till now we didn’t find any hint to establish our foothold, therefore we chose DIRB for directory brute force attack on port 8088. After a few tries we found URL for an HTML page for upload, Let’s browse it and see what service it has.
dirb http://192.168.1.119:8088/ -X .html
Exploiting
On
browsing the page we saw the page consist of file upload option but why does it
have two upload options. This is interesting. We went for the second upload
option and upload the pentestmonkey’s php reverse shell. Let’s see if we can
shell this machine.
After successfully uploading our file, it asked us to wait for 1 minute. The message that made us curious was the shell upload was internally redirected to another directory after being uploaded. Only thing left is to execute our shell.
After a few tries, we changed the changed the port from 8088 to 8715 because the previous hint gave a clue that the file has been internally redirected. So changing port and executing the file got us the shell.
Privilege
Escalation
Thus, we
explored further and looked for weak service configuration such as SUDO and
SUID permission but found nothing related to it. After spending some more time,
we saw capability with +ep permission is set on python2.7. We have used this
command to remove the file capability.
getcap -r
/ 2>/dev/null
There
we got out shell. Only thing left is to get the root access. We looked for system capabilities and found empty capability
(ep) over suid is given python2.7 for www-data that means all privilege is
assigned to www-data for that program, therefore taking advantage of this
permission we can escalate into high privilege from low privilege shell using
the command below./usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'
*NOTE- For Privilege Escalation through Capabilities. Please refer the link below.
https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
0 comments:
Post a Comment