HackMyVm : DejaVu Writeup
HackMyVm : DejaVu
OS: Ubuntu
Web-Technology:
IP: 192.168.1.42
USERS:
⇒ robert
CREDENTIALS (ANY):
⇒ robert : 9737bo0hFx4
Flags:
⇒ user.txt : HMV{REDUCTED}
⇒ root.txt : HMV{REDUCTED}
=========================================================================
NMAP RESULTS:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:8f:5b:43:62:a1:5b:41:6d:7b:6e:55:27:bd:e1:67 (RSA)
| 256 10:17:d6:76:95:d0:9c:cc:ad:6f:20:7d:33:4a:27:4c (ECDSA)
|_ 256 12:72:23:de:ef:28:28:9e:e0:12:ae:5f:37:2e:ee:25 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
=========================================================================
Web Services Enumeration:
→ Visited to source code of http://192.168.1.42/info.php
⇒
⇒ Found the the directory "S3cR3t"
⇒ Index of /S3cR3t
⇒
⇒ Visited to http://192.168.1.42/S3cR3t/upload.php
⇒
⇒ In the enumeration I found that, site not accepting .php files
⇒ Need to bypass the disable_functions of site.
⇒
⇒ Using chankro tool, I created the reverse shell exploit.phtml file.
⇒ Got reverse connection
⇒
=========================================================================
Enumeration: www-data
⇒ sudo -l
⇒ I can use tcpdump as robert
⇒ So lets run cronjobs using pspy64 and intercept the traffic of those cronjobs using tcpdump as robert
⇒
⇒ As results, I found the password for robert
⇒
⇒ robert : 9737bo0hFx4
=========================================================================
SSH: robert
→ Logged in as robert using creds
⇒ reading user.txt
⇒
=========================================================================
PRIV-ESC:
→ sudo -l
⇒
⇒ I can run /usr/local/bin/exiftool as root.
⇒ Check the version of exiftool
⇒
⇒ Used exploit https://www.exploit-db.com/exploits/50911
⇒ By using the exploit, I created a image for changin the root password
⇒
⇒ Now, by using that image I can change the root password
⇒
⇒ Now simply switch to root.
⇒
⇒ Reading root.txt
Web-Technology:
IP: 192.168.1.42
USERS:
⇒ robert
CREDENTIALS (ANY):
⇒ robert : 9737bo0hFx4
Flags:
⇒ user.txt : HMV{REDUCTED}
⇒ root.txt : HMV{REDUCTED}
=========================================================================
NMAP RESULTS:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:8f:5b:43:62:a1:5b:41:6d:7b:6e:55:27:bd:e1:67 (RSA)
| 256 10:17:d6:76:95:d0:9c:cc:ad:6f:20:7d:33:4a:27:4c (ECDSA)
|_ 256 12:72:23:de:ef:28:28:9e:e0:12:ae:5f:37:2e:ee:25 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
=========================================================================
Web Services Enumeration:
→ Visited to source code of http://192.168.1.42/info.php
⇒
⇒ Found the the directory "S3cR3t"
⇒ Index of /S3cR3t
⇒
⇒ Visited to http://192.168.1.42/S3cR3t/upload.php
⇒
⇒ In the enumeration I found that, site not accepting .php files
⇒ Need to bypass the disable_functions of site.
⇒
⇒ Using chankro tool, I created the reverse shell exploit.phtml file.
⇒ Got reverse connection
⇒
=========================================================================
Enumeration: www-data
⇒ sudo -l
⇒ I can use tcpdump as robert
⇒ So lets run cronjobs using pspy64 and intercept the traffic of those cronjobs using tcpdump as robert
⇒
⇒ As results, I found the password for robert
⇒
⇒ robert : 9737bo0hFx4
=========================================================================
SSH: robert
→ Logged in as robert using creds
⇒ reading user.txt
⇒
=========================================================================
PRIV-ESC:
→ sudo -l
⇒
⇒ I can run /usr/local/bin/exiftool as root.
⇒ Check the version of exiftool
⇒
⇒ Used exploit https://www.exploit-db.com/exploits/50911
⇒ By using the exploit, I created a image for changin the root password
⇒
⇒ Now, by using that image I can change the root password
⇒
⇒ Now simply switch to root.
⇒
⇒ Reading root.txt
⇒ 
Comments
Post a Comment