Method is an easy machine by avijneyam from the HackMyVM platform. This machine requires a bit of enumeration and understanding of web technology. Once we get the foothold, this is a piece of cake. The machine works quite well on VirtualBox. “Method – Writeup – HackMyVM – Walkthrough”
Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Method
Identify the target
As usual, I started the exploitation by knowing the IP address of the target. This can easily be done using tools like netdiscover, arp-scan, fping, etc.
sudo netdiscover -r 10.0.0.0/24
Scan open ports
Next, I scanned open ports on the target.
nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.85
Here, we only have ports 22 and 80 to enumerate further.
Enumerate the webserver
There are some rabbit holes in the machines. However, using nikto, we can find the thing we want. Nevertheless, we can also do the same manually. The main thing in this machine is the sitemap.xml file.
This is a major hint and also a major distraction. Here, if we look closely, there is an ‘index.htm?vm=Brain’ part in the URL. We know that HackMyVM has PHP in its backend and there is no such URL. But, we can look for index.htm in the server.
Let’s check the source of the page.
There is a hidden form that brings us suspicions. There is an input “HackMyVM” on the form.
It looked like the GET method is not the correct way. So, I did the same in the POST method.
curl -X POST 'http://10.0.0.85/secret.php' -d 'HackMyVM=id' -H 'Content-Type: application/x-www-form-urlencoded'
Furthermore, we can also spawn a reverse shell by encoding the reverse shell spawning command in URL-encoded format. However, I checked the source of the secret.php page to get the username and password.
curl -X POST 'http://10.0.0.85/secret.php' -d 'HackMyVM=cat secret.php' -H 'Content-Type: application/x-www-form-urlencoded'
I logged in as the user prakasaka using the SSH server.
Then, I checked the sudo permissions that gave me the root shell from the binary “ip”.
sudo ip netns add foo sudo ip netns exec foo /bin/bash sudo ip netns delete foo
Also read: Walkthrough of Hack Me Please from Vulnhub