HackMyVM: Blog writeup
Start scan the target with nmap.
sudo nmap -sC -sV -A -O $IP
There is only 2 ports open which is port 22(ssh) and port 80(http). Let’s enumerate port 80. You can verify if apache version is vulnerable or not to any attacks by googling.
There is a ping command output but no button or anything. There is also domain name blog.hmv, so we can put it in /etc/hosts file.
We can run gobuster to find directory.
gobuster dir -u http://blog.hmv -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .bit,.php,.js,.xml,.txt
There is /my_weblog directory and it was the real homepage of the website.
Clicking on every hyperlinks, I found out that this web running nibbleblog CMS. I tried google it, there is an exploit in upload file and it is an authenticated exploit. So we need to find the credentials to use the exploit.
Continue to brute force the directory after /my_weblog directory.
gobuster dir -u http://blog.hmv/my_weblog -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .bit,.php,.js,.xml,.txt
There is admin login page at /my_weblog/admin.php
We can try any default credentials like admin:admin, admin:password or admin:nibbles. None of it works. So I continue with directory brute force to find any log files or secret files containing credentials.
I found endpoints contain potential username ‘admin’. It was at /my_weblog/content/private/config.xml and /my_weblog/content/private/users.xml. The next thing we need is the password. So I tried brute force the password using hydra.
hydra -l admin -P /usr/share/wordlists/rockyou.txt ‘http-post-form://blog.hmv/my_weblog/admin.php:username=^USER^&password=^PASS^:Incorrect'
Got the password, we can login to as admin user.
Now that I have the credentials, I can use the file upload exploit. I will create a php reverse shell and use it with the exploit script.
PRIVILEGE ESCALATION (USER)
As user www-data, we can check sudo permission using
sudo -l and it seems like we can run git command as user admin. Google for GTFObins for git, we can get command for privilege escalation.
So we can run command
sudo -u admin git branch --help config and then type
!/bin/bash to spawn shell.
PRIVILEGE ESCALATION (ROOT)
Same as before, checking
sudo -l and it says we have permission to run mcedit as root. Playing around with mcedit, it seems like we can edit any file. So I will edit /etc/sudoers to give admin user permission to use /bin/bash as root.
sudo mcedit -e /etc/sudoers
And add ‘admin ALL=(root) NOPASSWD: /bin/bash’ in new line as below and save it.
Next step is to run bash in sudo
sudo /bin/bash. And now we got shell as root!