top of page

Assertion Vulnhub Walkthrough

I am back with another interesting article , today we are going to solve another VM Assertion from vulnhub , This is an intermediate level challenge . This is my honest walkthrough of this VM.


IP of the target :

As usual I started with nmap scan to find open ports and services running in the system using the command

sudo nmap -sC -sV -Pn -p-

On port 80 I found a web application with some different options in navigation bar and after clicking on one of the page I am redirected to that page but I checked the URL and found a GET parameter including the page I clicked on , means this webapp is vulnerable to LFI attack .

I tried to include /etc/passwd file but using ../etc/passwd displayed a message .

I have faced this type of thing in different challenges where "../" is blocked or ".." is blocked and to bypass this I used encoding "../" as well as double encoding "../" but in this VM nothing worked , then I start enumerating again by thinking that this can be a rabbit hole , so next I tried directory bruteforce using the command

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 --hc 404

after enumerating each directory I found pages to be interesting .

after opening these pages I found that they are quite similar to those web pages I found in the root directory , and if we focus on the GET parameter then it was something like : /index.php?page=gallery , so I tried including the index.php itself and got this error "File does not exist" , something strange happened here , next I tried to include webpages I just foud in /pages/ and yes it worked , but without extension php , means , next I tried bypassing this method using "?" and "&" and I also go through a hackerone report but it didn't worked too , after loosing all the hopes I messaged the author of this VM for some hint and he told me "Name of the VM is the hint" , then a php function came in my mind and I started searching about it and hopefully I found something really interesting to get LFI .

', '..') === false and $myfile = **************************************************

umm this looks interesting , next I tried searching for some useful files , may be I can find SSH creds but got nothing , next I started to write some reverse shell script in /tmp/ directory , but till now I haven't get RCE to execute those scripts and after playing sometime with the malicious input I found a way to get RCE .

and that's it , now I can pop a shell :)

its time for some enumeration :) and after searching in some useful directories I found id_rsa keys and after cracking the passphrase with jonh I found the password , and can gain access to user soz shell using these keys and passphrase.

I tried priv. esc. using lxd method but it didn't worked , but when I checked for user privileges I found something interesting

I know that emacs is some kind of file editing tool and we can run this as user fnx means I can create a file inside /home/fnx/.s**/auth******_ke** and can gain access to shell of user fnx.

sudo -u fnx /usr/bin/emacs /home/fnx/.s**/auth*******

and now I pasted my local system's keys here and after that using the command ssh -i id_rsa fnx@ , I gained access to shell of fnx user.

now I checked for the user privileges but found nothing , next I started to search for SUID binaries and find one as /usr/bin/aria2c.