Vulnhub: INCLUSIVENESS: 1
Sustah
Inclusiveness is an intermediate boot to root VM to practice your hacking skills. Can you get in?
This is INCLUSIVENESS: 1 from Vulnhub. The creator described it as intermediate. Let’s go.
Ports
FTP, SSH and HTTP.
FTP
Anonymous login with upload enabled, what’s not to love? Doesn’t help yet … but it will (ooooh, foreshadowing).
HTTP
The frontpage is just the Apache2 default page. Nothing much shows up, even with a big wordlist using dirsearch. We do get one interesting message though when trying to access robots.txt:
You are not a search engine! You can’t read my robots.txt!
User-Agent
So I’m not a search engine eh? What if I was?
User-Agent: Googlebot/2.1
Now I get this:
User-agent: *
Disallow: /secret_information/
Cool. What’s that? Some text about DNS zone transfers. But we don’t have a DNS port open, so it’s not what we want. We do have two language options:
http://192.168.1.179/secret_information/?lang=en.php
How’s about LFI?
GET /secret_information/?lang=../../../../../../../../etc/passwd HTTP/1.1
Ding ding ding, we have a winner!
Shell
So we’ve got the ability to upload files, and a way to include them. Can you say shell?
root@kali:/run/user/0/gvfs/ftp:host=inclusiveness/pub# cp /opt/vulnhub/inclusiveness/shell.php shell.php
and then
http://192.168.1.179/secret_information/?lang=../../../../../../../../var/ftp/pub/shell.php
Bingo. I did also check:
GET /secret_information/?lang=../../../../../../../../etc/vsftpd.conf HTTP/1.1
to see where the upload directory was. I checked for SSH keys and log poisoning before I uploaded the shell.
Privesc
We’ve got one user, tom. He has a rootshell SUID binary, with the source code:
Linpeas is having none of this:
Savage. Let’s give it a go:
And that was that.