Pwned vulnhub downside is an easy boot2root gadget. Some of the crucial key remove from this system is how you are able to escalate your privileges the usage of Dockers. This weblog post is ready how I exploited this system and what are the other gear I used to make that occur.
Beneath are the must haves:
- You are able to get the digital gadget from correct proper right here : https://www.vulnhub.com/get right of entry to/pwned-1,507/
- I used Kali as a penetration testing gadget correct proper right here, you are able to use your individual atmosphere.
Let’s dive in:
- Studying the objective IP handle:
I used netdiscover tool to make a decision the IP of the objective gadget. In my case, the IP handle is 192.168.40.40
- Collecting knowledge and Scanning:
After you have the IP handle, it’s time to transfer taking a look all the way through the serve as and discovering what will also be the assault vectors correct proper right here. I did a at hand knowledge a rough nmap scan with beneath command:
#nmap -sV -O 192.168.40.40 -p-
Ports 21,22 and 80 are open.
Checking the internet website at the browser and viewing the provision gave some trace nevertheless it without a doubt needless to say wasn’t sufficient to make a decision on your next step of the assault.
So, I did a listing fuzzing to peer if there’s something helpful. I used gobuster command line tool to do it.
There are 2 directories that have been given proper right here up on Fuzzing:
not the remaining/
I’ve checked not the remaining nevertheless it without a doubt needless to say if truth be told comprises not the remaining so we got rid of that risk instantly.
Underneath hidden_text file, there’s a dictionary record known as secret.dic. I downloaded this and that is the reason what the information seems like:
From the appearance of it, the above information regarded further of file listings not passwords or one thing.
So, all over again a at hand knowledge a rough file seek have out that ,there may be pwned.vuln which in truth exist underneath the foundation.
For those who open http://192.168.40.40/pwned.vuln to your browser, you are able to discover a shape and whilst you happen to seem into the provision code of the web internet web page, you are able to see login creds to FTP.
- Everywhere the gadget:
When you are able to login into FTP with those creds, you are able to discover a /percentage folder which comprises two knowledge id_rsa (non-public ssh key) and have in mind.txt.
I downloaded each probably the most ones knowledge in my native gadget the usage of ftp’s get command.Now, since we have now got the non-public keys we can SSH login by means of that into the gadget.
#ssh -i id_rsa 192.168.40.40
We discovered the main Flag on Ariana’s gadget.
- We nonetheless do not have root, so we’re all over again yet again to discovering our assault vectors.
Whilst I used to be on the lookout for further clues, I discovered “messenger.sh” underneath the /house/
For those who take a look at it, this can be a easy shell script which echo’s out the “given” price by way of the person. Now I’ve attempted working and exploiting the record a couple of occasions alternatively I at all times ended up getting Ariana’s bash alternatively not root and even selena’s.
Here’s what I used to be doing mistaken, I went yet again to sq. one and did “sudo -l” command which can record the ways that experience SUID bit set and “messenger.sh” confirmed up all the way through the record as beneath:
Now, For those who learn the above knowledge appropriately, you are able to know that the record will also be Ran by way of particular person “Selena” with out no password and we need to make a decision a solution to run it as that specific, so after googling I discovered a sudo command with the flag “-u”, the flag explanation why you to run the required command as a person fairly then root.
So beneath command will run the messenger.sh as selena:
#sudo -u selena messenger.sh
after which in input the messenger you set /bin/bash, you are able to get shell for selena!
- Now, your next step was once once to get the foundation get entry to, it took me some time to return to docker procedure, It was once once proper there all the way through the id command output alternatively I used to be bearing in mind that there it will likely be every other shell script that may get me root. In spite of everything, now that I’ve were given to grab in regards to the docker procedure which is operating for particular person selena, I googled on find out how to escalate privileges with docker : https://gtfobins.github.io/gtfobins/docker/
so working this were given me the foundation get entry to and the remaining flag:
#docker run -v /:/mnt –rm -it alphine chroot /mnt sh