HackMyVM: BlackHat

Ryan Yager
3 min readMar 14, 2023

--

Diving right into it, we start off with an NMAP scan which shows the following:

From here we run a FeroxBuster on port 80:

Port 80 shows the following and PHPINFO shows below:

mod_backdoor seems very strange. We looked here because we saw that the site had already been defaced, so someone had to most likely load a module. The manual way is not very difficult, however instead of reinventing the wheel we used a python script that was already on github found here:

After running the exploit with the proper arguments we get a reverse shell:

From here the shell was not very good, and a full shell with python did not work, for this reason we will use a bash call back and then get a full shell:

We see there is one other user, darkdante, and we could not find any other exploits and did not see anything when running linpeas. For that reason I decided to try and login with darkdante and password of darkdante, which in the end we didn’t even need:

From here we again did our normal enumeration and looked at what files darkdante can write on /etc/ and found the following:

We see that we can write to the /etc/sudoers file, which means we can give ourselves all permissions:

Now we can sudo su and be root:

Hopefully you enjoyed the writeup and I hope you have a great rest of your day.

--

--

Ryan Yager
Ryan Yager

Written by Ryan Yager

Known on Twitch and YouTube as OvergrownCarrot1 or OGC

No responses yet