From 9268959f6df0c54d888ee9fae06df7401e2b89b3 Mon Sep 17 00:00:00 2001
From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Mon, 11 Jan 2021 07:08:24 +0500
Subject: [PATCH] Add files via upload
---
HackMyVM/Hommie.md | 100 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 100 insertions(+)
create mode 100644 HackMyVM/Hommie.md
diff --git a/HackMyVM/Hommie.md b/HackMyVM/Hommie.md
new file mode 100644
index 0000000..05b99c6
--- /dev/null
+++ b/HackMyVM/Hommie.md
@@ -0,0 +1,100 @@
+# HackMyVM-Hommie
+
+## Netdiscover
+
+
+
+
+## NMAP
+
+```
+Nmap scan report for 192.168.1.96 [6/43]
+Host is up (0.00024s latency).
+Not shown: 997 closed ports
+PORT STATE SERVICE VERSION
+21/tcp open ftp vsftpd 3.0.3
+| ftp-anon: Anonymous FTP login allowed (FTP code 230)
+|_-rw-r--r-- 1 0 0 0 Sep 30 09:39 index.html
+| ftp-syst:
+| STAT:
+| FTP server status:
+| Connected to ::ffff:192.168.1.8
+| Logged in as ftp
+| TYPE: ASCII
+| No session bandwidth limit
+| Session timeout in seconds is 300
+| Control connection is plain text
+| Data connections will be plain text
+| At session startup, client count was 2
+| vsFTPd 3.0.3 - secure, fast, stable
+|_End of status
+22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
+| ssh-hostkey:
+| 2048 c6:27:ab:53:ab:b9:c0:20:37:36:52:a9:60:d3:53:fc (RSA)
+| 256 48:3b:28:1f:9a:23:da:71:f6:05:0b:a5:a6:c8:b7:b0 (ECDSA)
+|_ 256 b3:2e:7c:ff:62:2d:53:dd:63:97:d4:47:72:c8:4e:30 (ED25519)
+80/tcp open http nginx 1.14.2
+|_http-server-header: nginx/1.14.2
+|_http-title: Site doesn't have a title (text/html).
+MAC Address: 08:00:27:AD:86:5A (Oracle VirtualBox virtual NIC)
+Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 8.39 seconds
+
+```
+
+## PORT 21 (FTP)
+
+
+
+Now we have write permissions in the folder so let's try to upload a random text file.I tried to upload an empty text file `a.txt` and it got uploaded to ftp server.
+
+
+
+So now we can upload a php reverse shell
+
+Download the shell from here https://github.com/pentestmonkey/php-reverse-shell and edit the lhost and lport (optional).
+
+
+
+But whenever I was trying to execute the php revershell it wasn't executing.
+
+
+
+## PORT 80
+
+
+
+
+At this point I had no idea what to do , I tried running `gobuster` but it only returned the index.html and the files we were uploading so I again started to enumerate ports through nmap
+
+
+
+I ran a udp scan on the machine specifying the flag `-sU` and `-p 1-100` for scanning the ports from 1 to 100 because udp scan takes a lot of time than tcp scan.So what we got was a dhcp and tftp service ruuning on udp. We can enumrate tftp which is trivial file transfer protocol and it's different than ftp.
+
+
+
+We got connected to tftp because it doesn't use any authentication also tftp has a only a few commands as comapred to ftp we can only get or put a file so I assumed `id_rsa` must be here as it was hinted on the web page
+
+
+
+Set the permissions on `id_rsa` chmod 600
+
+
+
+Going into `/opt` directory we can see binary having a SUID
+
+
+
+Running the binary gives us the ssh key for alexia
+
+
+
+I ran strings on the binary and saw that it was printing the ssh key with `cat` so here we can exploit PATH variable
+
+
+
+
+
+root.txt isn't in the root's home directory so use the `find` command to search for the flag : )
\ No newline at end of file