SAR1 VULHUB WALKTHROUGH

SAR1 (Walkthrough)

This Box Is From Vulhub You Can Download It From Link.This Box is like OSCP box which i beleive is .I pwned this box using LFI leads to RCE.


Breaching Process 

Finding IP

  • Netdiscover

Enumeration

  • Browsing HTTP  service
  • Nmap scan
  • Enumerating directory using nikto and dirb
  • Found robots.txt and other useful directory
  • Enumerating sar2HTML

Exploitation

  • using searchsploit for sar2HTML found RCE
  • Injecting php code using (wget)
  • Got reverse shell using NC

Privilege Escalation

  • Found crontab execute shell in 5 min.
  • Add the sudoers permission for www-data.
  • Got root permission 



Let's Breach 

Using netdiscover  i found the box ip address.The ip address was 192.168.248.136




Then i scan the IP using nmap
The command is

nmap -sSVC -A 192.168.248.136 | tee nmap.txt




Here the scan shows only 80 port which was default page of apache


There was no thing to see so,i need to dig deeper that's why i scan using nikto and dirb.

Uisng dirb i found robots.txt file

which indicate some directory


I go to the sar2HTML directory and found that it was some kind of service (I don't know)


There was a version so i quickly go to searchsploit and found that same version was vulnerable to LFI TO RCE


I quickly copy the file of searchsploit and read it out.However , that was not hard
there was just a LFI exploit first

Using this tecnique i got the ls command running in webapp


So,Here the LFI works and now need to get the exploit work to RCE.

So i tried , the wget command seems work ie i run a simple http server form python and load the php reverse shell into the server


Seems that's work like a charm.
Now it's time to get the reverse shell into my PC




Got the reverse shell
Pretty easy Hmmmm



Now enumeration is the key.However ,that was not hard
i see that finally.sh runs as root and that run the write.sh
and the finally.sh run every 5 minute 
where, anyone can write in the write.sh file


So,i edit the write.sh and 
make 
as www-data can run sudo command without password


Waiting over after 5 min

sudo -l shows


Now, www-data can run sudo without password

and the command 
sudo -u root sudo su
can be use to get root



HAPPY HACKING :)


Comments

Popular posts from this blog

Wordpress Reverse Shell

EVM: 1 Vulnhub Walkthrough