7MS #191: Vulnhub Walkthrough - Kevgir
I'm intentionally not posting a full walkthrough with all the juicy details for a few reasons:
Full (and better) walkthroughs already exist online.
By not posting the full details, it allows you the chance to get just a little push in the right direction without ruining the entire challenge.
I like to show my full thought, process as I do a whole lot of stuff wrong before I start making good progress. We can both likely learn something from that :-)
Enumeration of this box reveals lots of fun stuff - Web/FTP/Samba shares, etc. There seem to be many things that are almost a perfect fit for packaged Metasploit payloads. However, the one I went after was the Tomcat/Coyote service.
From there, I found a form that allowed uploading of files, so I used msvenom to upload a payload to the "manager" area. The upload action triggered the shell, but from there I had to "power up" my shell with:
python -c 'import pty; pty.spawn("/bin/bash");'
Not sure if it was just me, but sometimes when I typed in the terminal all leter was ddoouubblleedd uupp lliikkee tthhiiss.. But, I continued typing carefully and when I hit Enter, the commands were processed successfully.
From here I was able to find additional services, such as Mysql, running on the machine. The service had weak credentials, and I was able to enumerate the Mysql service and pull out the admin user hash and crack it relatively easily. However, it didn't help in getting a higher foothold on the box.
At this point, I did further research, checking things like /cat/etc/password to target who your actual admin users are. Also, using privesc checkers such as unix-privesc-check, LinuxPrivChecker.py or Basic Linux Privesc Cheatsheet is a good idea. Pro tip: if need be, you can setup a SimpleHTTPServer on a specific port by doing:
python -m SimpleHTTPServer 80 (or 443 or whatevs)
A combination of the above enumeration and tool use led me to a kernel exploit that resulted in root happiness.