Vulnhub Katana: 1 Walkthrough

    This box is described as "Intermediate" and the description states:  "Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root)."

    I'll admit, I'm getting a little worn out on the multiple web serving troll ports.  It's basically the same box recycled with a different twist.  That being said, the privilege escalation was excellent.  There are multiple entrances for a low privilege shell and I cover two. 

    We kick off with Nmap:


    Lots of open ports like the previous boxes from this author.  When we search port 80 with Nikto, we find:


    When we access it from the web browser, we find:


    Scrolling down, we find:


    Moving over to the admin page, we try admin admin :


    We're in!  I attempt to upload a shell:


    But that errors out.  When I look in the address, I see what could be SQL Injection:


    Mind you, this is a deviation and it goes nowhere but if you want to play around with it, this is how it starts:


    We capture the post in Burp and we insert it into a file.  We fire up SQLMap:


    We find a database:


    Let's enumerate the database:


    We find a table and we get the column info:


    Let's dump the table:


    And we find what we already know when cracking the hash, the username is admin and the password is admin.


    Circling back -- looking at the format of the pages, I guess that maybe admin_edit.php exists:


    I attempt to upload a shell:


    When I try to add it:


    We get an error. 

    Meanwhile, I'm brute forcing SSH and I find:


    That's our first in, I'm not sure that was intended.  We SSH over to the box:


    As I'm hunting around the various web servers, I find:


    I think this was probably the intended entry:


    We upload our shell:


    Note the location of the file but recognize that it's NOT on this web server, it's the server running on port 8715:


    With our handler setup:


    Getting in as www-data buys us nothing.  Back to katana, I search for files with capabilities and I uncover:


    Which leads us to:


    With Python2.7, we can execute a shell for root.  We get the flag and it's game over!  I really like the privilege escalation, that was solid.  Took me a bit to figure that out because it doesn't show up on privilege escalation scripts -- or at least those I ran.


    © 2020 sevenlayers.com