Sorry for Delay,, I hope you pardon me.
Without wasting any time let’s start;
Solet’s start; I think everybody knows about vulnhub(if anybody didn’t know ,try to explore is blog:https://medium.com/@gavinloughridge/a-beginners-guide-to-vulnhub-part-1-52b06466635d)
The machine was released on 15 Feb 2020.(Here is the link:https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/)
Difficulty Level: Beginner
Notes: There are 2 flag files
Learning: Web Application | Abue cronjob
This is a boot to root challenge.
Description
Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.
let us start hacking!
I open Sar and my Kali machine in Vmware.(make sure both machine is on same network.
For knowing the Machine Ip ,,i just type “arp-scan -l”
TTL=64 means (this machine is a linux machine)
Now It’s time for find open ports.)for that I use nmap;
There is only one port open;;so let’s explore it;😎.
IT looks like the Default Apache page(let’s try some enumerate)
Always look for (robots.txt)file..90% of website has that file( I Try some directory enumerating but i haven’t found any Result,, But make sure you at least try that, sometimes who knows you find somethings that anyone didn’t found that.)
Here you can see That Page Give me some clue …let’s use that thing.
BOOOO,, IT’s look like some juciye Thing(((Here you notice that The Website give you another hint “Sar2html”))) , I quickly open Google and search about sar2html (and find RC(“https://www.exploit-db.com/exploits/47204”));
Then it’s time to find that parameter where you put your malicious code.
Boohoo… I successfully find that endpoint…Now’s it’s time to put our code;;;;
And i want to know that in that machine python was install or not (for that i type this simple command(“which python3”)).
Boooo,,python3 was there, now It’s time to get a reverse shell (for that i use penestermonkey reverse cheat sheet (python)).ANd that was reverse shellcode for python3(you can use that code for python, you just need to change the python version)
After that, I use open Netcat in my system ..to connect that reverse shell to my computer.
Boo, I successfully connected to that machine ..now IT’s time know the user.txt(means our 1st flag)
After that, it’s time to upgrade our privilege (privilege escalation)
I tried many things but didn’t get anything,,, But when I explore crontab(i knew that there is a Bash script which runs in every 5 mins by root and interesting that low-level user have permission to edit that thing)
Now it’s time to open that file to know what that file does;;; for that 1st I need to change my directory.
Here I have seen that that script run another script(so let’s explore that script also)
Pardon me(Because I change that value,,,, when you cat that file, you saw different things(It’s time to change that thing and put our revere shell code on that file)(for that I use penestermonkey Netcat cheat sheet)
Editing that file is completed..(It’s time to open netcat in our system and wait for 5 min)
BOOMM,, I get the root shell(after 5min of editing that file)..
I hope you enjoy and also learn new things from that machine ;;;
And if you think that writeups help you ;
Then share with other security researchers….
KEEP HACKING, KEEP LEARNING”😎😎😎
o
