SAR-1
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine SAR-1 from the VulnHub pentesting platform.
- SAR-1 can be downloaded from here:
https://www.vulnhub.com/entry/sar-1,425/
- Once downloaded SAR-1 and extracted with VirtualBox:
2 - ENUMERATION
- IP for SAR-1 is 192.168.1.16:
- Scanning with Nmap we discover that port 80 is open:
- Browsing the web server:
- Dirbusting we find robots.txt:
- robots.txt contains hint sar2HTML:
- Checking web page sar2HTML:
3 - EXPLOITATION
- sar2html is a plotting tool for system statistics (sar data), actually there is a Remote Command Execution exploit for version 3.2.1:
- Using the exploit we can execute some commands, for instance "id" and "cat /etc/passwd":
- Also, we can explore directories content with "pwd" and "ls", discovering sarDATA, sarFILE and uPLOAD:
- Now, using Msfvenom let's create a PHP reverse exploit called sar1.php:
- Starting the corresponding Meterpreter listening session:
- Uploading sar1.php to the website:
- The upload is successful and the exploit sar1.php is now at folder /uPLOAD:
- Running the exploit (just clicking sar1.php) a Meterpreter session is opened:
- Getting a shell:
- Looking for content:
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
- As expected, access to root folder is not allowed, so we need Privilege Escalation:
- Looking for cron jobs, we find that the script finally.sh is run every 5 minutes:
- finally.sh executes write.sh:
- Script finally.sh is run with root privileges:
- The strategy for Privilege Escalation will be to remove current write.sh and create a new one that will open a reverse shell connection.
- Removing write.sh:
- Writing a new script write.sh:
- Transferring the new script from Kali to SAR1:
- Opening a listening session at Kali port 4444:
- As a consequence of write.sh being run as part of the cron job finally.sh, after some minutes a reverse root shell is achieved:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt:
