HackMyVM: BlackHat
Diving right into it, we start off with an NMAP scan which shows the following:
From here we run a FeroxBuster on port 80:
Port 80 shows the following and PHPINFO shows below:
mod_backdoor seems very strange. We looked here because we saw that the site had already been defaced, so someone had to most likely load a module. The manual way is not very difficult, however instead of reinventing the wheel we used a python script that was already on github found here:
After running the exploit with the proper arguments we get a reverse shell:
From here the shell was not very good, and a full shell with python did not work, for this reason we will use a bash call back and then get a full shell:
We see there is one other user, darkdante, and we could not find any other exploits and did not see anything when running linpeas. For that reason I decided to try and login with darkdante and password of darkdante, which in the end we didn’t even need:
From here we again did our normal enumeration and looked at what files darkdante can write on /etc/ and found the following:
We see that we can write to the /etc/sudoers file, which means we can give ourselves all permissions:
Now we can sudo su and be root:
Hopefully you enjoyed the writeup and I hope you have a great rest of your day.