Vulnhub Toppo: 1 Walkthrough

Let me start off by saying that I broke from my plan of rooting the must-do boxes because I was up on Vulnhub and noticed new boxes.  I downloaded a few of them and there was one that I really wanted to do because it sounded interesting.  Technically, it's two boxes, one sitting off the second NIC of another.  I couldn't get the public facing box to grab an address and with limited time, I decided to go after a self-described "beginner" box.  Honestly, I wouldn't have written it up except that I learned a couple of things along the way -- things not to do and why.


Start off with an Nmap scan:





Let's hit the web port:




Scanning it with Nikto:




Let's check out /admin:





Checking out the note:




I know this is a beginner box and I'm certain that's my way in but I continue poking around anyway:





Let's see what this page does:





I know this is the second half.  If you google the page name, you can find the source.  I desperately try to inject using PHP but at best, I can get it to NOT give me the error.  I find another version of the same page and they are removing special characters from the post.  With limited time to wrap this up, I decide to take the easy route in because it's either not vulnerable or my PHP game is weak.  

Assuming our user's account is "ted", I attempt to SSH:





I'm in!  Let's hunt for setuid binaries:





Score!

I so desperately wanted an elegant way of rooting this box.  Using python, I know I can execute commands on behalf of root.  For example:

python -c 'import subprocess;subprocess.call(["cat", "/etc/shadow"])'

As Ted, we are unable to read shadow but with our setuid python, we can do this easily.  So I'm thinking, what sort of cool way can I go about doing?  I try a few things, no go.  Then I think, how about using usermod to change ted's ID from 1000 to 0.  Despite being able to open passwd in an editor and do just that, usermod recognizes there are two ID 0's at the point of execution and won't allow it?  Ok, so how about changing /bin/bash to setuid binary?  That is something you could do in the past but newer versions of bash recognize the setuid and automatically downgrade themselves.  I know I can toss a shell and I'm automatically root but now I want to do this with subprocess.call.

After a while, I decided on the less elegant path:
 




Reading /etc/passwd, we see ted with ID 1000.  I copy passwd to /tmp and I'm changing his ID to 0 -- this I know works:




Now using our setuid python, I'm going to overwrite /etc/passwd with my modified version:




I know this won't work but I wanted to show it anyway:





However, SSH seems to care less and we're going in that way:





Like I said, the lessons here for me are more about what I was unable to do and why.  A good box for learning!