CengBox:2 Vulnhub Walkthrough
Here is my write-up for Cengbox:2 vulnerable machine , an intermediate level machine which can be downloaded from vulnhub.
There are two methods for privilege escalation and we will cover the first and easy one because I really don't like msfconsole sometimes.
walkthrough
IP of the target : 192.168.43.175as usual we start with nmap to find open ports and running services using the command
sudo nmap -sC -sV -Pn -p- 192.168.43.175
nmap result looks interesting , lets try anonymous login in FTP :)
and we found a note.txt file we downloaded the file in our local system using get command and now lets try to read the content of the file.
we have gained some useful information from this message
users : Kevin and Aaron
Password : default password ( we can try some common passwords)
domain name : ceng-company.vm
so we edit the /etc/hosts file as 192.168.43.175 ceng-company.vm
this is what we have on port 80 , nothing useful :( , now we can think of directory bruteforce using the command
wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt -t 25 --hc 404 http://ceng-company.vm/FUZZ
but unfortunately we have nothing here too.
If we remember the message from note.txt file then we found that ceng-company.vm is a domain , what if there is a subdomain? , okay to find that we ae going to use gobuster
gobuster vhost -u ceng-company.vm -w /usr/share/wordlists/dirb/big.txt
most of them have returned code 400 but two subdomain have returned code 403 , we again edit the /etc/hosts file as 192.168.43.175 admin.ceng-company.vm
okay now it's time for directory bruteforce again :)
okay lets open this directory .
This looks like a CMS and without wasting time the we start searching for some common login webpage like /admin or /login and we found both .
you can find these login pages using directory bruteforce also , but trying some common names revealed the login page so I didn't go for the bruteforce :)
Here is little bit of guess work to get the correct email and password
username : Kevin@ceng-company.vm
password : ***** ( #Try_Harder)
and using these credentials we are in as user Kevin , now by some manual searching we found that we can edit some php files .
Content->File Manager->index.php .
we edit this file with pentestmonkey php reverse shell and started a listener on the specified port and after refreshing the page we get the reverse shell.
okay now lets refresh the page and done we are in as user www-data :)
now we checked for user privileges using command sudo -l.
okay lets run this bash script as user swartz.
sudo -u swartz /home/swartz/runphp.sh
it means we can execute any php command as user swartz , now take the shell of user swartz here I have used a php function pcntl_exec() , you can read more about this function online.
we are in as user swartz , now we changed our directory to /home and found one more user there as mitnick and we can access the home directory of this user and we found a interesting file there.
we copied the id_rsa keys to our local system and tried to connect to user mitnick using this key as
ssh -i id_rsa mitnick@192.168.43.175
It is asking for the id_rsa passphrase , we an crack it using john and found the password to be leg*****
we again tried to connect to user mitnick by using same ssh command and this time we are in .
now we just transfered the pspy64 binary into /tmp and then by setting the correct permission lets run it.
okay this one looks interesting we change our directory to /etc/update-motd.d/
means we can write these files , so we created a file inside the home directory of user mitnick with content
now we edit the file /etc/update-motd.d/00-header as
now the question is why we are doing this ? 00-header or some other files inside that directroy are not running as cronjob by root user then how we will get the shell of root user? okay the thing is motd runs on every SSH login and files inside the /etc/update-motd.d/ we will executed by root so we exit from the current session and started a listener on specified port and again try to connect to ssh as user mitnick and this gives us the shell of user root.
lets check if we got the shell of user root or not .
okay we are root now and this completes our challenge , Hope you like the walkthrough and don't forget to try the Donate option so that we can keep our website advertisement free :)