Vulnhub - SAR: 1
Introduction
Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.
This box is on the NetSecFocus Admin list of OSCP-like machines. It’s SAR: 1 from vulnhub.
Ports
HTTP on port 80 only. This already makes things easy because you know that you’ll be getting a webshell and not (for example) hunting for SSH creds.
HTTP
robots.txt has one entry: sar2HTML, so naturally we go straight there. It’s running sar2html Ver 3.2.1, which has an unauthenticated RCE vulnerability which I’ve seen before in the THM Boiler room, so I know what to do already.
sar2HTML
In web application you will see index.php?plot url extension.
http:///index.php?plot=; will execute the command you entered. After command injection press "select # host" then your command's output will appear bottom side of the scroll screen.
My preferred method with this is using Burp Suite:
Privsec
The box has been set up with a cron job to exploit for root. Every 5 minutes, root runs a script called finally.sh (which we can’t edit), which in turn calls write.sh (which we can edit). I found this via basic manual enumeration and saw what I had to do almost immediately, but somehow still struggled to get it to execute.
I made several mistakes, including trying to connect to a closed port on my Kali machine (I’ve recently installed ufw and not opened the second port I like to use for a listener), and mixing bash with sh commands. Anyway my final payload for write.sh was:
And that worked fine and I was root and all was right with the world.