AdSense

Sunday, November 7, 2021

SAR-1

 SAR-1

- Layout for this exercise:









1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine SAR-1 from the VulnHub pentesting platform.

- SAR-1 can be downloaded from here:

https://www.vulnhub.com/entry/sar-1,425/

- Once downloaded SAR-1 and extracted with VirtualBox:




2 - ENUMERATION

- IP for SAR-1 is 192.168.1.16:








- Scanning with Nmap we discover that port 80 is open:




- Browsing the web server:




- Dirbusting we find robots.txt:




- robots.txt contains hint sar2HTML:



- Checking web page sar2HTML:





3 - EXPLOITATION

- sar2html is a plotting tool for system statistics (sar data), actually there is a Remote Command Execution exploit for version 3.2.1:






- Using the exploit we can execute some commands, for instance "id" and "cat /etc/passwd":

































- Also, we can explore directories content with "pwd" and "ls", discovering sarDATA, sarFILE and uPLOAD:














- Now, using Msfvenom let's create a PHP reverse exploit called sar1.php:





- Starting the corresponding Meterpreter listening session:




- Uploading sar1.php to the website:
















- The upload is successful and the exploit sar1.php is now at folder /uPLOAD:
















- Running the exploit (just clicking sar1.php) a Meterpreter session is opened:







- Getting a shell:






- Looking for content:




4 - CAPTURING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

- As expected, access to root folder is not allowed, so we need Privilege Escalation:




- Looking for cron jobs, we find that the script finally.sh is run every 5 minutes:





- finally.sh executes write.sh:



- Script finally.sh is run with root privileges:





- The strategy for Privilege Escalation will be to remove current write.sh and create a new one that will open a reverse shell connection.

- Removing write.sh:



- Writing a new script write.sh:




- Transferring the new script from Kali to SAR1:






- Opening a listening session at Kali port 4444:


- As a consequence of write.sh being run as part of the cron job finally.sh, after some minutes a reverse root shell is achieved:






6 - CAPTURING THE 2nd FLAG

- Reading root.txt: