7MS #191: Vulnhub Walkthrough - Kevgir

Intro

The following is a semi-spoilerish walkthrough of the Kevgir VM from Vulnhub by canyoupwn.me.

Disclaimer

I'm intentionally not posting a full walkthrough with all the juicy details for a few reasons:

  1. Full (and better) walkthroughs already exist online.

  2. By not posting the full details, it allows you the chance to get just a little push in the right direction without ruining the entire challenge.

  3. I like to show my full thought, process as I do a whole lot of stuff wrong before I start making good progress. We can both likely learn something from that :-)

Write-up

Enumeration of this box reveals lots of fun stuff - Web/FTP/Samba shares, etc. There seem to be many things that are almost a perfect fit for packaged Metasploit payloads. However, the one I went after was the Tomcat/Coyote service.

From there, I found a form that allowed uploading of files, so I used msvenom to upload a payload to the "manager" area. The upload action triggered the shell, but from there I had to "power up" my shell with:

python -c 'import pty; pty.spawn("/bin/bash");'

Not sure if it was just me, but sometimes when I typed in the terminal all leter was ddoouubblleedd uupp lliikkee tthhiiss.. But, I continued typing carefully and when I hit Enter, the commands were processed successfully.

From here I was able to find additional services, such as Mysql, running on the machine. The service had weak credentials, and I was able to enumerate the Mysql service and pull out the admin user hash and crack it relatively easily. However, it didn't help in getting a higher foothold on the box.

At this point, I did further research, checking things like /cat/etc/password to target who your actual admin users are. Also, using privesc checkers such as unix-privesc-check, LinuxPrivChecker.py or Basic Linux Privesc Cheatsheet is a good idea. Pro tip: if need be, you can setup a SimpleHTTPServer on a specific port by doing:

python -m SimpleHTTPServer 80 (or 443 or whatevs)

A combination of the above enumeration and tool use led me to a kernel exploit that resulted in root happiness.