HackMyVM: Luz
HackMyVM: https://hackmyvm.eu/
Luz: https://hackmyvm.eu/machines/machine.php?vm=Luz
CVE: CVE-2021–41644 (Initial Shell)
CVE: CVE-2022–37706 (Priv Esc)
Today we will be taking a look at Luz at Hack My VM. I found out about this site not too long ago and just started messing with today. Both VM’s that I have downloaded so far are VirtualBox Machines. Lets dive right into it.
Starting off with an NMAP we see the following:
We see there is HTTP and SSH. Looking at Port 80 we see the following:
Going to the admin login page we see the page name at the top change
From here we see an online food order page, lets see if there are any exploits for this:
Grabbing that exploit we are able to get some remote code execution:
Alright looks like we are www-data, lets get a better shell:
Now to stabilize the shell:
Checking SUID bits we see the following:
Looking on GTFO bins we can see that there is a csh exploit, also notice the enlightment_ckpasswd, we will be using that later:
Alright, we have some more privs. To run the enlightment_ckpasswd we need to have write access to the mount directory, currently we still do not, however, aelis does. What we can do from here is we can put an authorized key in her ssh, ssh into her and then run the exploit against ck_passwd:
From here we will grab our id_rsa.pub key, if you do not have one you can always run an ssh-keygen and make one for your user:
Utilizing VIM just as we did before to put exploit.sh on the target machine we will put our public key into aelis .ssh directory:
We can now login as aelis:
And lastly, priv esc:
I hope you enjoyed reading this writeup.
