SAR1 VULHUB WALKTHROUGH
SAR1 (Walkthrough)
This Box Is From Vulhub You Can Download It From Link.This Box is like OSCP box which i beleive is .I pwned this box using LFI leads to RCE.
Breaching Process
Finding IP
- Netdiscover
Enumeration
- Browsing HTTP service
- Nmap scan
- Enumerating directory using nikto and dirb
- Found robots.txt and other useful directory
- Enumerating sar2HTML
Exploitation
- using searchsploit for sar2HTML found RCE
- Injecting php code using (wget)
- Got reverse shell using NC
Privilege Escalation
- Found crontab execute shell in 5 min.
- Add the sudoers permission for www-data.
- Got root permission
Let's Breach
Using netdiscover i found the box ip address.The ip address was 192.168.248.136
Then i scan the IP using nmap
The command is
nmap -sSVC -A 192.168.248.136 | tee nmap.txt
Here the scan shows only 80 port which was default page of apache
There was no thing to see so,i need to dig deeper that's why i scan using nikto and dirb.
Uisng dirb i found robots.txt file
which indicate some directory
I go to the sar2HTML directory and found that it was some kind of service (I don't know)
There was a version so i quickly go to searchsploit and found that same version was vulnerable to LFI TO RCE
I quickly copy the file of searchsploit and read it out.However , that was not hard
there was just a LFI exploit first
Using this tecnique i got the ls command running in webapp
So,Here the LFI works and now need to get the exploit work to RCE.
So i tried , the wget command seems work ie i run a simple http server form python and load the php reverse shell into the server
Seems that's work like a charm.
Now it's time to get the reverse shell into my PC
Got the reverse shell
Pretty easy Hmmmm
Now enumeration is the key.However ,that was not hard
i see that finally.sh runs as root and that run the write.sh
and the finally.sh run every 5 minute
where, anyone can write in the write.sh file
So,i edit the write.sh and
make
as www-data can run sudo command without password
Waiting over after 5 min
sudo -l shows
Now, www-data can run sudo without password
and the command
sudo -u root sudo su
can be use to get root
Comments
Post a Comment