Machine Info#
| Name | webmaster |
|---|---|
| OS | Linux |
| Author | sml |
| Site | hackymyvm |
| Difficulty | Easy |
Recon and enumeration#
We start with our service recon with nmap:
3 ports open. The usual , port 80 and 22, and a first encounter with port 53, which appears to be a DNS server, lets take a look at the webpage now:
First clue, a password might be in a .txt file, lets take a look at the webpage source code:
A comment webmaster.hmv, it may have a meaning in pwning this machine ,or not… Well, since we can’t do anything else manually in this page, lets run our usual gobuster directory enumeration:
I did some more scans, but found nothing…
Lets backtrack a bit, we found a comment, webmaster.hmv, now, maybe, that’s a domain name? We add that domain to our /etc/hosts, like this:
We try viewing the webpage again:
It works, good. Now, we have a domain name, and we have port 53 open, lets consult hacktricks to see what we can find. Eventually,I find something in this section.
Didn’t really know what AXFT was, so I googled it:
Since we have both IP and domain name, lets try with the second command of the zone transfer section.
Initial Access#
And, we most likely have found some SSH login credentials, lets try to login as a user:
We get the user flag, now then, and we have a script in the home directory, lets check what it does:
Mm, I try the script, and it shows this:
Of course, it isn’t going to show to root flag, because it isn’t in the directory, let’s try to add /root/ before root.txt:
No change… Lets see what else we can do:
Mmm, we have super user privileges with the nginx web server, lets do some research on how we can exploit that. So, after a while, I got the root flag, but didn’t escalate privileges, anyways, here’s what I did:
I found this script from this blog by darrenmarty:
In a nutshell, what it does, it creates a nginx.conf file in the /tmp directory, sets the user as root, establishes some capabilities of the server, then, starts an http server on the root directory. After that, it launches nginx with sudo privileges with the config file it just created and shows the contents of the /etc/passwd directory.
Now, I adapted this script for what I need from this machine, so, I did this:
You may ask, why set up the listener to the target machine ip? Because of this:
The script successfully starts the http server with the config file the script created, but, in this machine, curl is not installed or the user isn’t allowed to use it. But, the http server is running, so, we can download try to download the file with wget.
Privilege Escalation#
And we have the root flag, but, we didn’t escalate privileges to super user. Checking the blog even further, the author did escalate privileges, here’s how he did it:
I don’t know what dynamic linker means, so I google it:
So, I use the modified script adapt it to my needs, and see it we get a root shell:
Well, that’s not good, maybe there’s an easier way. Now, I decide to consult another writeups, to see if someone got a root session with a different method. Consulting the writeup of the hackmyvm user ARZ. It seems, in the html directory we have unrestricted privileges, which allows us to write a php script, what will allow us to execute a reverse shell to our machine. Good thing to keep in mind in the future.
Things I learned from this machine#
- If there are domains involved, add them to my
/etc/hostsfile, and run related domain commands(digornslookup) to obtain information about the machine. - Always check before hand the content of the directory where the web page assets are when logged in as a user, if we are lucky, we could have unrestricted privileges on that directory, and write a simple php code to enable remote code execution, and get a reverse shell on our machine.