# HackMyVM-Locker ## NMAP ``` nmap -p- -sC -sV 192.168.1.140 Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 15:48 PKT Nmap scan report for 192.168.1.140 Host is up (0.00013s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Site doesn't have a title (text/html). MAC Address: 08:00:27:6A:15:D5 (Oracle VirtualBox virtual NIC) ``` ## PORT 80

On clicking the hyperlink

We can see an image of the lock also we can the parameter `image` having value of 1 so let's changing the value

We have 3 images , I tried running gobuster there wasn't anything intersting also I tried steghide, strings,exiftool on these images but didn't get anything useful

So I had no idea what to do at this point than thought about the obivous RCE

But got nothing.After asking for hints on discord looking at the screen for quite a while I just added `;id;` and got rce to be working

To get a reverse shell we will use python payload adding the payload after `;`

Transfer linpeas for further enumeration although it isn't necessary but if you want to just enumerate faster you should run the script it's very helpful

Here we can see `/usr/sbin/sulogin` which is not commonly set as SUID

Seeing the man page of sulogin

``` sulogin looks for the environment variable SUSHELL or sushell to determine what shell to start.If the environment variable is not set,it will try to execute root's shell from /etc/passwd.If that fails,it will fall back to /bin/sh. ``` Create c program to set uid and gid to 0 and execute /bin/bash using system

Compile and transfer it to the target machine

As it said in the man page of sulogin that it will look for SUSHELL variable and will start it so we need to exit from sulogin and then run the command again