https://hackmyvm.eu/machines/machine.php?vm=Eyes
Scan ports.
Log in ftp as anonymous, and get index.php.
Check the source code of index.php, has LFI.
<?php $file = $_GET['fil3']; if(isset($file)) { include($file); } else { print("Here my eyes..."); } ?> <!--Monica's eyes-->
Check which log file can be include. Because the FTP service is on, maybe ftp log can be include.
$ wfuzz -w /usr/share/wordlists/logfiles.txt '192.168.56.97/index.php?fil3=FUZZ' ... 000000033: 200 1 L 2 W 21 Ch "/var/log/auth" 000000031: 200 5 L 53 W 398 Ch "/var/log/vsftpd.log" 000000030: 200 1 L 2 W 21 Ch "/var/log/error.log"
OK, the vsftpd.log can be included. So we can login ftp using shell code as username.
Check if the shell code runs OK.
Then we can get a reverse shell as www-data.
Because there is only one user "monica", we search for files belong to this user.
In /opt, we noticed a file named "ls".
Check the source code, it has stack overflow vulnerability.
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> #include <sys/types.h> int main(void) { char command[100]; char ls[50]="/usr/bin/ls"; char name[50]; printf("Enter your name:"); gets(name); strcpy(command,ls); setuid(1000); setgid(1000); printf("Hi %s, Im executing ls\n Output:\n",name); system(command); }
We need to input a long name, which can overwrite "/usr/bin/ls" to "bash". Then we can be user monica.
Check sudo.
Use bzip2 to compress /root/.ssh/id_rsa, and decompress it, then ssh login as root. (Or we can directly read root.txt)
At last, we are root.