Vulnhub Walkthrough : hacksudo_search
Hello , today I am going to solve another vulnhub machine called hacksudo:search . It is an easy box , you can download it from here . The credit for the box goes to Vishal Waghmare . Let’s crack it .
To attack any machine first find it’s IP address , command :
sudo netdiscover
Now that you have found the IP address of the machine . You need to enumerate open ports of the machine . Scan the machine using autorecon to see which ports are open , I would suggest newbies to not use autorecon if you don’t know how to use nmap . First learn nmap then go for autorecon tool , command:
sudo autorecon -t target.txt
here , target.txt conatains the machin’s IP address .
As you can see that there are only 2 open ports . HTTP(80) and SSH (22) , open the IP address in the browser and you will see a page like this
it gives us a page with the title Hacksudo Search . There is a search engine , but it’s not that important to us . I looked into the source code of the page but got no luck there.
I then used nikto to scan the website , command :
nikto -h http://192.168.56.102/
nikto’s result tells us that there is one interesting file /.env which may contain credentials . I opened the file and there was a credential for mysql database .
APP_key variable contains some base64 encoded text , so I copied and decoded the bas64 text in the terminal , command :
echo aGFja3N1ZG8gaGVscCB5b3UgdG8gbGVhcm4gQ1RGICwgY29udGFjdCB1cyB3d3cuaGFja3N1ZG8uY29tL2NvbnRhY3QK | base64 -d
we have found a text telling us that www.hacksudo.com/contact, so I added the IP address of the machine in the /etc/hosts file and gave it the name hacksudo.com , command :
sudo nano /etc/hosts
I used gobuster to scan for directories , command :
gobuster dir -u http://192.168.56.102 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html
I looked into every directory but only search1.php was interesting .
As you can see here we have 3 sections- Home, About and Contact ; I clicked on the contact section as the earlier hint was mentioning us the contact page.By looking at the url it is sure that is vulnerbale to local file inclusion (lfi) or remote file inclusion (rfi) vulnerability . I checked it’s source code and found one hint .
The hint tells us to do fuzzing , so I used wfuzz to fuzz and find the PHP GET parameter in the url http://hacksudo.com/search1.php?FUZZ=contact.php , command :
wfuzz -w /usr/share/wordlists/dirb/big.txt -u http://hacksudo.com/search1.php?FUZZ=contact.php — hw 288
As we can see “me” is the parameter to exploit the lfi vulneribility . Like any other person I read the content of the /etc/passwd file and I have found 4 usernames in it . The usernames are : monali , john , hacksudo , search .
I created a usernames.txt file and pasted the usernames in it . Now as we have username list and one password , it’s time to bruteforce the SSH service using hydra , command :
hydra -L usernames.txt -p MyD4dSuperH3ro! ssh://192.168.56.102:22 -vv
I have found the the credentials for SSH login , hacksudo : MyD4dSuperH3r0! . I logged in using this credential , command :
ssh hacksudo@192.168.56.102
PRIVILEGE ESCALATION
Now we are user hacksudo . I have found user.txt as I logged in . As the name of the box “hacksudo” we know we have to do privilege escalation by exploiting the SUID binaries .
I then moved to the home/hacksudo/search/tools/ directory , there we have SUID binary and it’s source code .
I created a bash file with ‘install’ name , gave it executable permission and modified the $PATH variable , command :
echo “/bin/bash” > install
chmod +x install
export PATH=/home/hacksudo/search/tools:$PATH
Ran the SUID binary and HURRAAYYY!!! we got root shell :) . Type “id” command to see .
Navigated to /root folder and we have our root.txt file , type cat root.txt to read it’s content .
Thanks for reading this article , keep hacking keep learning :)
