KB-VULN: 3 ~ VulnHub – Walk through

Name: KB-VULN: 3
URL: https://www.vulnhub.com/entry/kb-vuln-3,579/
Release Date: 03 Oct 2020
Difficulty Stated: N/A
Difficulty I found: Beginner
OS used: KaliLinux 2020.3
Things you can learn from this VM: Enumeration, Directory finding, SMB anonymous login, Zip cracking, SiteMagic CMS vulnerability, EDB-ID:48788, PHP shell upload, Privilege Escalation, Reverse shell

As always we will start from NMAP

Successfully logged in as anonymous user on SMB.

Downloaded the website.zip archive, since it was password protected we Used fcrackzip to guess the password.

Extracted all the files using password = porchman

Got user credentials, tried these credentials for SSH but failed. Ran gobuster to find any meaningful directory, but still no success.

Next, started reading/reviewing different files extracted from the website.zip folder. Inside the install.php file I found a Github link, which showed some kind of SiteMagicCMS.

Tried adding “sitemagic” to the IP of this machine which is and successfully got a webpage.

Found a vulnerability EDB-ID:48788 of SiteMagicCMS as shown below.

Logged into the admin panel with the above mentioned credentials & uploaded my php-reverse-shell to webserver.

Access as low privileged user & reading the user flag.

Next, I downloaded & ran this script for finding any SUID binary (great script, works wonderfully with Python)

I found /bin/systemctl as SUID binary

The method posted on GTFO didnt’ work for me, so I created a new file myshell.service with following contents in /dev/shm directory. Pl replace the IP and PORT details with your own.

Next, I ran following commands (make sure you use absolute path)

Got reverse shell as root user.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: