The digitalworld.local Fall is an easy machine from Vulnhub by Donavan. Although there is a lot of information in the machine, the machine is too easy to root. I have tested this on VMWare Workstation Player. In this machine, we have to enumerate the server first and then only proceed. Otherwise, there is a high chance you fall inside a rabbit hole. “Writeup of Fall from Vulnhub – Walkthrough”
Link to the machine: https://www.vulnhub.com/entry/digitalworldlocal-fall,726/
Identify the target
Firstly, we have to identify the IP address of the target machine.
sudo netdiscover -r 192.168.19.0/24
Scan open ports
Next, we have to scan the open ports on the target. This gives us information about the exposed services.
nmap -v -T4 -sC -sV -p- -oN nmap.log 192.168.19.139
As we can see, we have got a lot of ports. Here, port 3306 is one of the entries to the rabbit holes. Let’s just enumerate port 80.
Enumerate the webserver
We see a CMS Made Simple CMS on the webserver. However, the CMS isn’t the point of interest here. While checking the posts on the web, we see one post that is interesting.
As it said, when we visit /test.php in the webroot, we get an alert as follows.
It says a GET parameter is missing. Thus, we have to do fuzzing.
ffuf -r -c -ic -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 'http://192.168.19.139/test.php?FUZZ=/etc/passwd' -fs 80
Here, we got the parameter “file” that has Local File Inclusions (LFI).
From the /etc/passwd file, we got a user ‘qiu’. Furthermore, we can also see this on the website. Since we have LFI, we can check for the private key of the user.
Luckily, we got the SSH private key of the user. So, let’s download this and try logging into the server using the key.
wget http://192.168.19.139/test.php?file=/home/qiu/.ssh/id_rsa -O id_rsa chmod 600 id_rsa ssh firstname.lastname@example.org -i id_rsa
Finally, we get the shell of the user qiu.
Root privilege escalation
Now that we have the user’s shell, we have to escalate to the root. When we check the bash_history, we get the password of the user.
Next, let’s check the sudo permissions of the user.
The user has permission to execute as any user on anything. Thus, we can switch to root.
sudo su -l
In this way, we can reach the root of the machine.