HackMyVm Zday Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Zday


Cat ports, a lot opened. Check port 80 first, it's a default apache page.

Scan files and folders.

图片.png


Open /fog,  it's login panel of fog project.

图片.png


Google the default crdentials and login. At "storage" page, get a username "fogproject" and password.

图片.png

Try to login ssh using this credentials. We get an error message and exit.

图片.png


Log in ftp with this crdentials.

图片.png


Download the .bashrc, remove the tail code, which cause the error message.

图片.png


Upload the .bashrc through ftp, then we can login as fogproject.

图片.png

find / -writable -not -path "/proc*" 2>/dev/null

We can write to some places in http folder.

图片.png


Upload a reverse shell and overwrite /var/www/html/fog/service/ipxe/index.php, then we get reverse shell as user www-data.

图片.png


Sudo -l as www-data.

图片.png


Escalate to user estas.

图片.png


Sudo -l as user estas.

图片.png


Check the source code of mimeopen. Notice these several lines.

图片.png


Goto /tmp folder, create a tmpfile with code "bash", then call mimeopen with -d, and use bash to run "tmpfile". Then we get root.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年5月    »
1
2345678
9101112131415
16171819202122
23242526272829
3031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2