CTF-Writeups/HackMyVM/Number.md
2021-01-12 04:23:16 +05:00

2.6 KiB

HackMyVM-Number

NMAP

Nmap scan report for 192.168.1.99
Host is up (0.00014s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 2f:90:c5:7c:a1:62:89:3a:ec:ea:c3:51:fa:77:f8:3f (RSA)
|   256 8e:21:71:85:04:3d:a7:db:1d:e6:6f:16:27:0c:0d:c9 (ECDSA)
|_  256 e2:39:c7:eb:f2:6d:53:0f:fd:3c:2c:05:31:c9:5b:f2 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:3B:F9:C5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.55 seconds

PORT 80

I ran gobuster

Then I ran feroxbuster

But going to whoami.php

command.php

All of this Lead to nowhere however we could bruteforce the pin using hydra for that we need to make a wordlists of numbers with a length of 4.

Now if we go back to whoami.php

Go back to /admin and login as melon with the pin you found

If we enter a string to check for rce it will show us a message that only numbers are allowed

Convert your IP address to decimal also launch wireshark and start analyze the network interface when you input the converted IP.

Here I searched for target IP which is 192.168.1.99 which was trying to connect to port 4444 of our IP so we know that we need to listen for port 4444 on our netcat.

Running linpeas I found capabilites

But these must be run as sudo

I guess the password of melon as melon and was logged in then I knew from the capability we found about hping search for escalation on gtfobins

Then all I had to was to run it with sudo