2.6 KiB
HackMyVM-Number
NMAP
Nmap scan report for 192.168.1.99
Host is up (0.00014s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 2f:90:c5:7c:a1:62:89:3a:ec:ea:c3:51:fa:77:f8:3f (RSA)
| 256 8e:21:71:85:04:3d:a7:db:1d:e6:6f:16:27:0c:0d:c9 (ECDSA)
|_ 256 e2:39:c7:eb:f2:6d:53:0f:fd:3c:2c:05:31:c9:5b:f2 (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:3B:F9:C5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.55 seconds
PORT 80
I ran gobuster
Then I ran feroxbuster
But going to whoami.php
command.php
All of this Lead to nowhere however we could bruteforce the pin using hydra for that we need to make a wordlists of numbers with a length of 4.
Now if we go back to whoami.php
Go back to /admin and login as melon with the pin you found
If we enter a string to check for rce it will show us a message that only numbers are allowed
Convert your IP address to decimal also launch wireshark and start analyze the network interface when you input the converted IP.
Here I searched for target IP which is 192.168.1.99 which was trying to connect to port 4444 of our IP so we know that we need to listen for port 4444 on our netcat.
Running linpeas I found capabilites
But these must be run as sudo
I guess the password of melon as melon and was logged in then I knew from the capability we found about hping search for escalation on gtfobins
Then all I had to was to run it with sudo
