# HackMyVM-Number
## NMAP
```
Nmap scan report for 192.168.1.99
Host is up (0.00014s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 2f:90:c5:7c:a1:62:89:3a:ec:ea:c3:51:fa:77:f8:3f (RSA)
| 256 8e:21:71:85:04:3d:a7:db:1d:e6:6f:16:27:0c:0d:c9 (ECDSA)
|_ 256 e2:39:c7:eb:f2:6d:53:0f:fd:3c:2c:05:31:c9:5b:f2 (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:3B:F9:C5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.55 seconds
```
## PORT 80
I ran gobuster
Then I ran feroxbuster
But going to `whoami.php`
`command.php`
All of this Lead to nowhere however we could bruteforce the pin using hydra for that we need to make a wordlists of numbers with a length of 4.
Now if we go back to `whoami.php`
Go back to `/admin` and login as `melon` with the pin you found
If we enter a string to check for rce it will show us a message that only numbers are allowed
Convert your IP address to decimal also launch wireshark and start analyze the network interface when you input the converted IP.
Here I searched for target IP which is `192.168.1.99` which was trying to connect to port 4444 of our IP so we know that we need to listen for port 4444 on our netcat.
Running linpeas I found capabilites
But these must be run as sudo
I guess the password of `melon` as `melon` and was logged in then I knew from the capability we found about `hping` search for escalation on gtfobins
Then all I had to was to run it with sudo
