HackMyVM: Blog writeup

RECON

Start scan the target with nmap.

sudo nmap -sC -sV -A -O $IP

nmap scan result

There is only 2 ports open which is port 22(ssh) and port 80(http). Let’s enumerate port 80. You can verify if apache version is vulnerable or not to any attacks by googling.

port 80

There is a ping command output but no button or anything. There is also domain name blog.hmv, so we can put it in /etc/hosts file.

We can run gobuster to find directory.

gobuster dir -u http://blog.hmv -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .bit,.php,.js,.xml,.txt

gobuster output

There is /my_weblog directory and it was the real homepage of the website.

blog.hmv webpage

Clicking on every hyperlinks, I found out that this web running nibbleblog CMS. I tried google it, there is an exploit in upload file and it is an authenticated exploit. So we need to find the credentials to use the exploit.

Continue to brute force the directory after /my_weblog directory.

gobuster dir -u http://blog.hmv/my_weblog -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .bit,.php,.js,.xml,.txt

There is admin login page at /my_weblog/admin.php

admin portal login page

We can try any default credentials like admin:admin, admin:password or admin:nibbles. None of it works. So I continue with directory brute force to find any log files or secret files containing credentials.

I found endpoints contain potential username ‘admin’. It was at /my_weblog/content/private/config.xml and /my_weblog/content/private/users.xml. The next thing we need is the password. So I tried brute force the password using hydra.

hydra -l admin -P /usr/share/wordlists/rockyou.txt ‘http-post-form://blog.hmv/my_weblog/admin.php:username=^USER^&password=^PASS^:Incorrect'

Got the password, we can login to as admin user.

admin panel

FOOTHOLD

Now that I have the credentials, I can use the file upload exploit. I will create a php reverse shell and use it with the exploit script.

php reverse shell
setting up netcat listener in new terminal
running the exploit
got shell as www-data user

PRIVILEGE ESCALATION (USER)

As user www-data, we can check sudo permission using sudo -l and it seems like we can run git command as user admin. Google for GTFObins for git, we can get command for privilege escalation.

GTFObins for privilege escalation tips

So we can run command sudo -u admin git branch --help config and then type !/bin/bash to spawn shell.

shell as admin user

PRIVILEGE ESCALATION (ROOT)

Same as before, checking sudo -l and it says we have permission to run mcedit as root. Playing around with mcedit, it seems like we can edit any file. So I will edit /etc/sudoers to give admin user permission to use /bin/bash as root.

sudo mcedit -e /etc/sudoers

And add ‘admin ALL=(root) NOPASSWD: /bin/bash’ in new line as below and save it.

adding new permission

Next step is to run bash in sudo sudo /bin/bash. And now we got shell as root!

root shell!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store