Infovore Vulnhub Walkthrough

In this article we are going to solve another boot2root challenge infovore from vulnhub , Initial foothold was a little challenging because we need to edit the pre-built script to get the initial shell .


walkthrough



IP of the target : 192.168.1.194

As usual I started with nmap scan to find open ports and services running in the system using the command


sudo nmap -sC -sV -Pn -p- 192.168.1.194

I was shocked with the result because usually I am in habit of having port 22 open!! , okay l started my enumeration from port 80 , I found a really good UI based website but it didn't revealed anything useful , so it's time for directory bruteforce .


wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt --hc 404 -t 64 http://192.168.1.194/FUZZ

found 3 directories with response code 301 , but before exploring them more I decided to run the directory bruteforce again with extension .php


wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt --hc 404 -t 64 http://192.168.1.194/FUZZ.php

I found phpinfo on info.php and on index.php I found the same website , after a lot of enumeration I failed to find anything and at last I decided to use nikto tool

Now I was really more confused , according to the nikto result /info.php has RFI and I tried many methods to check RFI but failed to achieve RFI , So it was a complete dead end for me and it was getting really frustrating until I checked the title of the page that was Include me...

this proved to be a big hint for me , it clearly indicates that here we are going to deal with LFI in index.php page because info.php is just using the phpinfo() function and to check for the LFI I tired parameter fuzzing using wfuzz tool by using the command


wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 -t 46 http://192.168.1.194/index.php?FUZZ=/etc/passwd

that was very strange response and again I was too confused with this LFI , next thing I noticed here is that every page has returned same Lines , so what I did is I changed the command to hide results with Line 136


wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hl 136 -t 46 http://192.168.1.194/index.php?FUZZ=/etc/passwd

and yes this command worked perfectly and after opening the webpage http://192.168.1.194/index.php?filename=/etc/passwd I could see the content of /etc/passwd file

after checing for the LFI vulnerability next thing that came in my mind was log poisoning attack , I tried to include some files that could lead to log poisoning attack but I was not able to include them , after a lot of thinking I started to search about phpinfo LFI to RCE and found a script to perform this task , but after running the script I found an error , because we have to change some information regarding the page where we found the LFI .

but this was not enough change in the script so that it can work properly and after spending some time with the code I found one more thing that needs to be changed and that was the page where we found the phpinfo , that is info.php and according to the nikto result if we remember then the page has RFI with parameter info.php?file , so what I did is I changed the script again with

and after listening on the specified port (in my case 1234) I got the reverse shell.

now its time for priv. esc. , first of all I checked for the users in the home directory but there are no users.

now I checked other directories too but couldn't find anything useful , so now I runt the command cat /proc/1/cgroup command to check if we are inside a container/docker or not

umm this confirms that we are inside the docker and to get out of the docker we need to enumerate more carefully and after checking the "/" directory I found two hidden files .

now I decided to transfer these files in my local system , but how we are going to do this ? this system has no python to start a server and I also tried scp but it there was an error , I found that this system has curl installed so what I did is , started a python server on my local system and with the help of curl I transferred nc to the tmp directory and now with the help of nc I can transfer those two hidden files :)

after cracking the passphrase of private key (root) I found the password .

I used this password to get root on docker .

ummm , I found no pty here and to spawn a pty we can use two methods , I used su root -P

I got root on docker/container but I need root on host machine to complete this challenge and after some manual enumeration I found public and private keys of one user of host system

now I tried to gain access to admin using the id_rsa ( private key) and it prompts for the password and I used the same password I cracked earlier and yes finally I was in as user admin.

All I can say is just use gtfobins:)

we are root now and this completed the challenge , task was also to find all the 4 flags , but actually I am not interested in finding flags hidden somewhere so sorry for the flags because I am more interested to gain root :)


Recent Posts

See All

Website change notice

As you all know that our website is providing walkthrough of different challenges from different platforms and without any advertisement but due to some funds issue we can't continue this website :( S

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.