Tomato Vulnhub Walkthrough

In this article we will share another Vulnhub Machine Walkthrough Tomato. and this VM is created by the sunCSR Team. The difficulty of the VM Medium to Hard. and this VM is hosted on Vulnhub Server. you can download here this Machine.

Network Scanning

To begin we will find the IP address of our target machine, use the following command.

Tomato Vulnhub Walkthrough

We found the target’s IP Address 192.168.43.144. and The next step is to scan the target machine ports by using the Nmap tool.

After the scan, we saw that port 21FTP, 80HTTP, 2211/SSH, and 8888/HTTP running Nginx HTTP Server. Let’s move the enumeration step.

Enumeration

We started from port 80/HTTP and tried to open the target machine webpage on our browser by navigating the IP address.

Tomato Vulnhub Walkthrough

For more enumeration, we run the gobuster directory brute forcing web directory to enumerate all files and directory.

and we discover a useful directory antibot_image. after navigating the directory we see many files and directory let’s open the info.php

Tomato Vulnhub Walkthrough

Now we are reading the page source code and we found a comment. it is likely that the page is vulnerable to LFI (Local File Inclusion). So, without wasting our time, we can try to access /etc/passwd.

Tomato Vulnhub Walkthrough

here we try Apache log poisoning through SSH creating a GET system backdoor.

After running the log poisoning command we will create a PHP reverse shell and we upload the shell target machine by using netcat. let’s run the commands. remember first start your, netcat listener.

Now this time is executing download our payload target machine and we use an extra command |php after upload our shell is automatic execute.

Tomato Vulnhub Walkthrough

Privilege Escalation

Now we got a reverse connection target machine. let’s move the next step escalate the privilege target machine. let’s check the kernel version target machine by using the command.

we search the exploit for 4.4.0-21-generic and we found a local root privilege escalation exploit on exploit-db. our target system hasn’t GCC compiler. let’s open another terminal our local machine and compile the exploit.

After compiling the exploit we started our local python server on port 80 and download the exploit our target machine /tmp directory and adding execute permission and run the exploit.

After executing the exploit we see a root blank shell. let’s move the root directory and read our final flag proof.txt.

Tomato Vulnhub Walkthrough

Nyx: 1 Vulnhub Walkthrough link