Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.
HTTP on port 80 only. This already makes things easy because you know that you’ll be getting a webshell and not (for example) hunting for SSH creds.
robots.txt has one entry: sar2HTML, so naturally we go straight there. It’s running sar2html Ver 3.2.1, which has an unauthenticated RCE vulnerability which I’ve seen before in the THM Boiler room, so I know what to do already.
In web application you will see index.php?plot url extension.
/index.php?plot=; will execute the command you entered. After command injection press "select # host" then your command's output will appear bottom side of the scroll screen.
My preferred method with this is using Burp Suite:
The box has been set up with a cron job to exploit for root. Every 5 minutes, root runs a script called finally.sh (which we can’t edit), which in turn calls write.sh (which we can edit). I found this via basic manual enumeration and saw what I had to do almost immediately, but somehow still struggled to get it to execute.
I made several mistakes, including trying to connect to a closed port on my Kali machine (I’ve recently installed ufw and not opened the second port I like to use for a listener), and mixing bash with sh commands. Anyway my final payload for write.sh was:
And that worked fine and I was root and all was right with the world.