Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Zday Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Zday


Cat ports, a lot opened. Check port 80 first, it's a default apache page.

Scan files and folders.

图片.png


Open /fog,  it's login panel of fog project.

图片.png


Google the default crdentials and login. At "storage" page, get a username "fogproject" and password.

图片.png

Try to login ssh using this credentials. We get an error message and exit.

图片.png


Log in ftp with this crdentials.

图片.png


Download the .bashrc, remove the tail code, which cause the error message.

图片.png


Upload the .bashrc through ftp, then we can login as fogproject.

图片.png

find / -writable -not -path "/proc*" 2>/dev/null

We can write to some places in http folder.

图片.png


Upload a reverse shell and overwrite /var/www/html/fog/service/ipxe/index.php, then we get reverse shell as user www-data.

图片.png


Sudo -l as www-data.

图片.png


Escalate to user estas.

图片.png


Sudo -l as user estas.

图片.png


Check the source code of mimeopen. Notice these several lines.

图片.png


Goto /tmp folder, create a tmpfile with code "bash", then call mimeopen with -d, and use bash to run "tmpfile". Then we get root.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0