CTF-Writeups/HackMyVM/Locker.md
AbdullahRizwan101 a1d26c601c
Update Locker.md
2021-02-04 00:44:43 +05:00

2.6 KiB

HackMyVM-Locker

NMAP

nmap -p- -sC -sV 192.168.1.140
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 15:48 PKT
Nmap scan report for 192.168.1.140
Host is up (0.00013s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:6A:15:D5 (Oracle VirtualBox virtual NIC)

PORT 80

On clicking the hyperlink

We can see an image of the lock also we can the parameter image having value of 1 so let's changing the value

We have 3 images , I tried running gobuster there wasn't anything intersting also I tried steghide, strings,exiftool on these images but didn't get anything useful

So I had no idea what to do at this point than thought about the obivous RCE

But got nothing.After asking for hints on discord looking at the screen for quite a while I just added ;id; and got rce to be working

To get a reverse shell we will use python payload adding the payload after ;

Transfer linpeas for further enumeration although it isn't necessary but if you want to just enumerate faster you should run the script it's very helpful

Here we can see /usr/sbin/sulogin which is not commonly set as SUID

Seeing the man page of sulogin

sulogin looks for the environment variable SUSHELL or sushell to determine what shell to start.If the environment variable is not set,it will try to execute root's shell from /etc/passwd.If that fails,it will fall back to /bin/sh.

Create c program to set uid and gid to 0 and execute /bin/bash using system

Compile and transfer it to the target machine

As it said in the man page of sulogin that it will look for SUSHELL variable and will start it so we need to exit from sulogin and then run the command again