Durian Vulnhub

Walkthrough of Durian Vulnhub.

In this post, I’ll show you guys, how I solve Durian Vulnhub Box, basically, this is a walkthrough of Durian.

Machine IP: 192.168.43.184

By doing nmap, I found a website running on port 80, else, I didn’t found anything vulnerable or suspicious.

note: A WordPress site is also running on /blog path.

after brute-forcing the web directory, I found the cgi-data page which redirects to the vulnerable LFI page,

checking for /etc/passwd file it’s confirmed, that, it’s vulnerable to LFI,

after giving some time and doing some research, I found that there is a log file named durian.log, which is vulnerable to log poisoning, and access.log is a file where web logs are stored,

log path: /var/log/durian.log/access.log

after that using burp suite, I tried to execute the command using PHP, and it’s worked,

note: it may take 2-8 attempts to execute the command.

Sending Request
Response Received

so, we can see that it is sending the response, after that, I tried to upload the php-reverse-shell to the /var/www/html/, but it does not work, after many tries, I try to upload the shell to /var/www/html/blog/ path, then it gets uploaded.

after that, start Netcat listener, and execute the shell.php file by visiting the /blog path, on the website: 192.168.43.184/blog/shell.php,

now, we got the shell as www-data user, which is web user, after that I tried to find some suspicious configurations, but didn’t find anything,

but checking for capabilities, I find that there are two binary capabilities,

by searching “/usr/bin/gdb = cap_setuid+ep” on google I found that it can be used for privilege escalation just setting the uid value to 0, more detailed information about Linux Privilege Escalation using Capabilities can be found here,

$ /usr/bin/gdb -nx -ex 'python import os;os.setuid(0)' -ex '!sh' -ex quit

see, we got the root, The tricky part of the box is finding the log file.

If you face any problem, let me know in the comment section.

Leave a Reply

Your email address will not be published. Required fields are marked *