Whenever I choose a machine to practice I always try to choose one having some writeups so that I can help myself whenever I get stuck in between as I am still a beginner. But this time I chose hacksudo: aliens by Vishal Waghmare which did not have any writeup at the time when I solved this machine. I think it is a very good machine to practice your skills specially for beginners. So lets start with our first step which is nmap scanning.
As you can see the vulnerable machine has three open ports:
- 22/TCP — running ssh service
- 80/TCP — running apache http service
- 9000/TCP — running apache http service
So I started with enumeration of website hosted on port 80. This website had a search bar and a long table showing large number of records.
Then I did directory busting using gobuster and found an interesting directory /backup
The /backup directory has a file mysql.bak revealing some sensitive stuff including database username and password.
After getting the database credentials I knew this has something to do with website hosted on port 9000 because nmap gave information about phpMyAdmin running on it. I tried these creds and got access of phpMyAdmin panel. But now I didn’t have any idea what to do. So I did some research but I didn’t find anything useful (actually something useful was in front of my eyes but ignored it, I’ll tell you about it below keep reading). Then I did directory busting
Some directories (/setup, /sql, /tmp) looked interesting to me but all of them were useless hitting dead ends and I wasted lot of time on it.
Then again I took help our friend google and found that I can upload a reverse shell on target machine by executing a query given below (method which I ignored before due to my carelessness).
SELECT “<?php system($_GET[‘cmd’]); ?>” INTO OUTFILE “PATH”
To get reverse shell we need to upload the php reverse shell file on the server and then need to execute it by locating through our browser.
But the problem with this query was I didn’t know what should be the path to write the file and to locate the file using browser. From nmap scan we know that the operating system running on vulnerable machine is linux, so we need to hit and try different linux paths to find valid one. So I tried uploading a test file in /var/www to check if we had write permission in this directory.
We are not allowed to write any file in /var/www, so after this I tried uploading file in /var/www/html.
NOTE : Keep in mind that if you are trying this method on another machine then path may be different if XAMPP or Windows OS is used on target machine but in this case XAMPP was not used and linux web server is used.
Now our next challenge is to locate this test file using browser, so I tried locating it on website running on port 9000 but it showed “Not Found”.
Then I tried locating it on website running on port 80 and got success.
This means that we can now upload our malicious php code using SQL query.
Now we can execute any arbitrary command on the server but we need an interactive shell, so we need to upload a reverse shell. To upload the famous pentest-monkey reverse shell on the server I first hosted python http server on my attacking machine and run wget command using our uploaded malicious php file to fetch the reverse shell file from our attacking machine.
Now first we need to run nc listener on our attacking machine and execute php reverse shell file on web server using URL http://<IP>/php-reverse-shell.php.
Now we need to elevate our privileges, I checked SUID bit enabled files and some files looked suspicious to me, first one is /usr/bin/bwrap and other is /usr/bin/date. So quickly I went to GTFObins to check how I can misuse this date utility.
This shows that we can read any file on the system in spite of having root ownership. So I read /etc/shadow file and brute-forced it using john-the-ripper to get password for a user with higher privilege on the target machine. Now I used ssh to get CLI on target machine to read the user.txt having flag string.
Now we need to gain root privileges so I started enumerating again and found another SUID bit enabled file was available which might be useful. Then I checked .bash_history file having some interesting information which showed that SUID bit enabled file can be used to get root access on the system which I leave on you to find.
I really liked this machine that why I solved this machine two times. Hope this writeup helped you to learn something and in solving the machine. Thanks for reading 😊😊and thanks to vishal waghmare for such a easy and good machine😊😊😊😊