HackMyVm : Hostname
HackMyVm : Hostname
OS: Debian
Web-Technology:
IP: 192.168.1.154
USERS:
→ po
CREDENTIALS (ANY):
→ po : !ts-bl4nk
Flags:
→ user.txt : REDUCTED
→ root.txt : REDUCTED
=========================================================================
NMAP RESULTS:
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 27:71:24:58:d3:7c:b3:8a:7b:32:49:d1:c8:0b:4c:ba (RSA)
| 256 e2:30:67:38:7b:db:9a:86:21:01:3e:bf:0e:e7:4f:26 (ECDSA)
|_ 256 5d:78:c5:37:a8:58:dd:c4:b6:bd:ce:b5:ba:bf:53:dc (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Panda
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
=========================================================================
Web Services Enumeration:
→ Visited http://192.168.1.154/
⇒
→ In the source code of http://192.168.1.154
⇒
⇒ "po" possible username.
⇒ S3VuZ19GdV9QNG5kYQ== : Kung_Fu_P4nda
⇒ Kung_Fu_P4nda put this as a secret word
⇒
⇒ removed that disabled="po" then hit on read.
⇒
⇒ “ !ts-bl4nk " can be a password
⇒ po : !ts-bl4nk
SSH: po
→ Tried the creds
→ Logged in as po using “po : !ts-bl4nk” creds.
⇒
Enumeration: po
→ Transferred linpeas.sh to target machine.
→ Got something interesting
⇒
CREDENTIALS (ANY):
→ po : !ts-bl4nk
Flags:
→ user.txt : REDUCTED
→ root.txt : REDUCTED
=========================================================================
NMAP RESULTS:
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 27:71:24:58:d3:7c:b3:8a:7b:32:49:d1:c8:0b:4c:ba (RSA)
| 256 e2:30:67:38:7b:db:9a:86:21:01:3e:bf:0e:e7:4f:26 (ECDSA)
|_ 256 5d:78:c5:37:a8:58:dd:c4:b6:bd:ce:b5:ba:bf:53:dc (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Panda
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
=========================================================================
Web Services Enumeration:
→ Visited http://192.168.1.154/
⇒
→ In the source code of http://192.168.1.154
⇒
⇒ "po" possible username.
⇒ S3VuZ19GdV9QNG5kYQ== : Kung_Fu_P4nda
⇒ Kung_Fu_P4nda put this as a secret word
⇒
⇒ removed that disabled="po" then hit on read.
⇒
⇒ “ !ts-bl4nk " can be a password
⇒ po : !ts-bl4nk
SSH: po
→ Tried the creds
→ Logged in as po using “po : !ts-bl4nk” creds.
⇒
Enumeration: po
→ Transferred linpeas.sh to target machine.
→ Got something interesting
⇒
→ Let's go for user oogway
⇒ Lets paste this “po HackMyVM = (oogway) NOPASSWD: /bin/bash” in sudoers file.
⇒ echo “po HackMyVM = (oogway) NOPASSWD: /bin/bash” > sudoers
⇒
⇒ After than just run /bin/bash as oogway
⇒
⇒ Boom got the user oogway.
⇒ Reading user.txt
⇒
=========================================================================
PRIV-ESC:
→ Transferred pspy64 to target machine to monitor linux processes.
⇒
⇒ As well as there's one crontab also running every minute...
⇒
⇒ So after, I run pspy64 for monitoring...
⇒ now, I created a rev.sh and also created a checkpoint to execute that rev.sh in pspy64
⇒ When the rev.sh get called in pspy64 we'll receive a connection on netcat listener
⇒
⇒ Got the root
⇒ Reading root.txt
⇒
Comments
Post a Comment