Acid: From Vulnhub
Reference from Vulnhub walkthrough
By: Pan Chao (email@example.com)
The name of the virtual machine is "acid server"
First step, network scanning, like nmap, and netdiscover
Then go port scan…
Find that port 33447 is open
Nmap results are showing that there is only one port open i.e 33447 with the services of HTTP. There are only a heading and a quote on the page; nothing else but if you look at the tab on the browser, it says ' /challenge/' . This can be a directory, let's open it.
Upon opening / challenge, a login portal will open. Let's learn more about / challenge by using Dirbuster.
Upon opeing / Challenge, a login portal will open. Let's learn more about /challenge by using Dirbuster. Copy the link from the browser in Target URL box and then select medium word list in Files with list of files box by clicking on the browse button. And then click on start.
I went through every directory but the only cake.php was useful. Open it in the browser. When you open cake.php, the page says " ah, haan, there is long go ..dude.
We find that /magic_box is written on the tab. Let's open it in the URL just like before.
When you open the /magic_box It says that access to the page is forbidden. OK! There is no problem with that.
Let's use Dirbuster again on it. Give that URL http://192.168.1.103:33447/Challenges/Magic/Box and 2.3 medium wordlists just as before and then click on start button.
In the result, it will show the name of the directories.
Out of all those Command.php is the only one that has proved to be useful. Open it in the URL. Here you will find a ping portal that means you can ping any IP address from here. Let's try and ping an IP. (You can ping any IP but I am going to ping the default IP i.e 127.0.0.1)
Once the IP has been pinged, go to the page source. On the page source, you can contemplate that results of ping are showing.
Hence there are possibilities for OS command injection and to ensure let's run any arbitrary command such as ; ls as shown above. On the page source, you can contemplate that results of ls command.
Since the page is showing the desired result that means we can use this portal to inject our virus using the web_delivery exploit. And to do so, go to the terminal of Kali an open Metasploit by typing msfconsole and then further type:
We return back to msfconsole and use web_delivery, and this exploit is a multi-exploit that means it can be used on multiple programs. Therefore, I have set the target as one because 1 refers to php and as we are using php payload we have to set the target as 1.
Now performing this exploit will give me a code. Copy this code and paste it on the ping portal after the IP that you are using to ping. And to add this code use semi-colon
And we get Meterpreter session in Metasploit. Further type the following command to see the list of directories.
And then we do privilege escalation.
We get the meterpreter session
In the list ,we find that a directory called s.bin. Let's go into the folder and see its list of files and for that type.
We go to former directory
In the list of files, we could see a file named raw_vs_isi. Let's check it out.
It contains only one file, called hint.pcapng. Let's download it on our desktop with help of following command.
Now the file is downloaded on my desktop.
We opened this pcapng file with wireshark.
Choose tcp stream, we find that in 90 th package English words occur.
We use TCP follow and find that whole conversation
In the conversation, one of them says " Saman and nowadays he's known by the alias of 1337hax0r" that means saman is the usename and 1337hax0r can be the password.
Let's try it. Then to access proper TTY shell we had import python one line script and type command to reach the terminal and here log in with the username we just found:
And we have entered the root. We get the flag.