Let's crack one of the vulnhub boxes named HACKSUDO: 1 created by vishal Waghmare . It is a boot2root box with difficulty marked as beginner. So let's get started.
## STEP - 1 (Host discovery)
So we will start with netdiscover command to find our target machine in our network.
We discovered the target IP address to be 192.168.1.23.
## STEP - 2 (Scanning)
Next, we gonna use nmap to find open ports and their services respectively.
Here I am using -sV for the service version, -oN for saving my output in a file, --script=vuln for vulnerability scanning on the respective open ports, and -vv for verbosity.
nmap -sV -oN nmap/initial_scan 192.168.1.23 --script=vuln -vv
As for the initial results, we can deduce that 3 ports are opened on this machine.
80 [http] | 2222 [ssh] | 8080 [http]
For further results, we can see:-
--> Port 80 : HTTP [Apache httpd 2.4.46]
--> Port 2222 : SSH [OpenSSH 8.3p1]
--> Port 8080 : HTTP [Apache Tomcat 9.0.24]
Also, we got an interesting file through our Nmap scanning results under the http_enum section:
## STEP - 3 (Further Enumeration)
Let's grab the file users.sql. It may contain some valuable data.
Running file command, we can deduce that it's a simple text file
We can open this file in any text editor. I'm gonna use sublime text editor for this.
Gotcha we found some credentials in this file.
## STEP - 4 (Cracking the hash)
The passwords we found for both the users are in hash form so we need to crack them. You can use hashcat or john the ripper with your suitable wordlist but I am simply going to check the plaintext password for this hash on crackstation.net.
## STEP - 5 (Enumerating Tomcat)
After unsuccessful attempts on SSH using the above creds, we have to further enumerate to increase our attack vector.
Using gobuster to enumerate directories on PORT 8080:
gobuster dir -u http://192.168.1.23:8080 -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt
Found some interesting directories:
Let's open up the manager directory.
And we got a prompt to enter username and password to access the manager directory. Let's try the creds found above and VOILA! we got access to the directory.
## STEP - 6 (Gaining Access)
Let's use Metasploit for gaining access to the system.
We can search for tomcat upload file exploit. If we have the credentials for the tomcat manager we can upload a file and get the remote code execution on the target machine.
In Metasploit, we will use exploit/multi/http/tomcat_mgr_upload.
Now we have to set the required options to make this exploit work.
set HttpPassword admin set HttpUsername admin set RHOSTS 192.168.1.23 set RPORT 8080 exploit
And we have a meterpreter shell :D.
##STEP - 7 (Privilege Escalation)
Let's popup a shell using the shell command on meterpreter.
Running the id command shows that we are a less privileged user that cannot access user and root flags. So we need to enumerate further to exploit our way to a privileged user.
First, let's stabilize our shell a little so that we can have a little more interactive session with our shell.
First, we need to find if this system has python installed.
which python3 /usr/bin/python3
And we have python3 in our target machine. So now we can easily import the pty package from python3 so we can use bash commands in this shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
We gonna import xterm so that we can clear the mess whenever we want.
Now when our shell is a little stable, we can further enumerate our target machine for SUID files using find command.
SUID files/binaries or Set owner User ID files/binaries are special files with special permissions that can be exploited to gain superuser access on the machine.
find / -perm -4000 2>/dev/null
Running this command will give us the following results and we can see one peculiar file:
We can search on google for this SUID file privilege escalation method or there is a website where we can find privilege escalation methods for these types of files which is gtfobins.github.io
We can simply use this command without sudo.
/usr/bin/time /bin/sh -p
And we are ROOT!
Now we can get both the user and root flags.
Also, there are other flags you can search using the find command
find / -name flag\*.txt 2>/dev/null