2.5 KiB
HackMyVM-Pwned
NMAP
Nmap scan report for 192.168.1.7
Host is up (0.00020s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
| 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!
MAC Address: 08:00:27:56:AD:A9 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds
PORT 80
Looking at the source we can see a comment at the bottom of the page
I ran gobuster
From fuzzing the directories /nothing led me to actually nothing
However /hidden_text was intersting.
Which was like wordlist or maybe there directories exists on the machine.So using this wordlist it came back with a pwned.vuln file
Looking at the source code again
These were infact credentials for ftp server
The note says
Wow you are here
ariana won't happy about this note
sorry ariana :(
This is private key belongs to user ariana so we can ssh into the box with this.
Run sudo -l to see what we can run as root or as other user
Transfer linpeas on the box
Right at the start it says that the user is docker group and we can privesc abusing it
Visting GTFOBINS for any privesc on docker
And we are root !!! fb8d98be1265dd88bac522e1b2182140 711fdfc6caad532815a440f7f295c176 4d4098d64e163d2726959455d046fd7c