“Hack Me Please” is an easy machine from Vulnhub. I would like to thank Saket Sourav for this. Also, I have tried this machine in VMWare and recommend you to do so. This is an OSCP-like machine, so, we don’t require any bruteforcing. “Hack Me Please Walkthrough – Vulnhub”
Link to the machine: https://www.vulnhub.com/entry/hack-me-please-1,731/
Identify the target
Firstly, we have to identify the IP address of the target machine.
sudo netdiscover -r 192.168.19.0/24
Scan open ports
Next, we have to scan the open ports on the target to get information about exposed services.
sudo nmap -v -T4 -A -p- -oN nmap.log 192.168.19.131
As we can see, we don’t have an SSH port open. Therefore, we must find a way to do remote command execution on the target. Since there isn’t involved bruteforcing, we might have to read the codes in the webserver.
The default page of the website doesn’t have much information.
Therefore, with the nudge by the discord user sulaimanredteam, I looked at the js/main.js file.
In the file, we see a document management system (DMS) link. This technology was new to me. So, I looked up the git repo, and for any exploits if present. We know the version being 5.1.22, so, I looked at the code specifically for that tag.
Moreover, an RCE was identified for version 5.1.10. So, I also take this as a reference for doing the remote command execution.
Exploit for versions < 5.1.11: https://www.exploit-db.com/exploits/47022
Analysing the repo
First of all, we have to analyse the directory structure of a framework. Since they are frameworks, they have a proper structure of working. We see a couple of directories of which ‘conf’ contains the configuration of the web app.
As we can see, /conf path didn’t work using like above. So, I tried appending it one level back.
We got a forbidden message for the directory. this implies that there is a
.htaccess file that restricts directory browsing. We can see that from the repository.
As in most frameworks, we see an example configuration file settings.xml.template. Furthermore, .htaccess reveals the actual settings file. Since the machine is a CTF challenge, we can assume that a misconfiguration in the .htaccess file would give us access to database credentials. Therefore, I directly visited the path on the target.
Here, we got the database server’s username and password. So, we can log into the server.
mysql -h 192.168.19.131 -u<username> -p -D<database_name>
Next, I looked up the tables.
All of the tables have a prefix ‘tbl’ but users. Thus, I listed down the records of it.
SELECT * FROM users;
Finally, I got a password that might be of a user on the target. However, we don’t have the name of the user and a shell to log into. Therefore, we have to try to log into the web app. Since we have access to the database, we can update the password of the administrator.
SELECT login,pwd FROM tblUsers;
I used an online tool to generate the md5 hash of the word “admin” which is my new password.
UPDATE tblUsers SET pwd='21232f297a57a5a743894a0e4a801fc3' WHERE login='admin';
Lastly, I logged in.
Remote command execution
The purpose of this web app is to manage documents online. So, there is a feature to upload files. Furthermore, if we could upload a web shell and execute it, we get the remote command execution.
Firstly, we have to listen on a port.
nc -nlvp 9001
Next, I modified the pentestmonkey web shell with my IP address and port 9001 as follows.
Now, let’s check the exploit.
Firstly, we have to upload the shell by navigating to the “Add document” menu. Next, we have to browse the PHP file and upload it. This will give us a blank page. However, upon returning to the dashboard, we see a file already uploaded.
If we click on the file, we see a document ID as I have shown above. This is all the exploit requires. Now, we can visit the link as following in my case to get a reverse shell.
Finally, we got the shell. You can improve the shell if you want. Upgrade to an intelligent reverse shell
Gaining root shell
If we look at the /etc/passwd file, we will see a user named “saket”.
grep bash /etc/passwd
We have already got the password to the user from the database.
su -l saket
Next, I checked the sudo permissions of the user.
The user has access to everything. So, I switched to root.
sudo su -l
In this way, we can reach to the root shell of the machine.