https://hackmyvm.eu/machines/machine.php?vm=Eyes
Scan ports.
Log in ftp as anonymous, and get index.php.
Check the source code of index.php, has LFI.
<?php
$file = $_GET['fil3'];
if(isset($file))
{
include($file);
}
else
{
print("Here my eyes...");
}
?>
<!--Monica's eyes-->Check which log file can be include. Because the FTP service is on, maybe ftp log can be include.
$ wfuzz -w /usr/share/wordlists/logfiles.txt '192.168.56.97/index.php?fil3=FUZZ' ... 000000033: 200 1 L 2 W 21 Ch "/var/log/auth" 000000031: 200 5 L 53 W 398 Ch "/var/log/vsftpd.log" 000000030: 200 1 L 2 W 21 Ch "/var/log/error.log"
OK, the vsftpd.log can be included. So we can login ftp using shell code as username.
Check if the shell code runs OK.
Then we can get a reverse shell as www-data.
Because there is only one user "monica", we search for files belong to this user.
In /opt, we noticed a file named "ls".
Check the source code, it has stack overflow vulnerability.
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
int main(void)
{
char command[100];
char ls[50]="/usr/bin/ls";
char name[50];
printf("Enter your name:");
gets(name);
strcpy(command,ls);
setuid(1000);
setgid(1000);
printf("Hi %s, Im executing ls\n Output:\n",name);
system(command);
}
We need to input a long name, which can overwrite "/usr/bin/ls" to "bash". Then we can be user monica.
Check sudo.
Use bzip2 to compress /root/.ssh/id_rsa, and decompress it, then ssh login as root. (Or we can directly read root.txt)
At last, we are root.
