Vulnhub HackMePlease Walkthrough

In this, you will learn how to get an initial foothold through the web application and exploit sudo to get the privileged shell

Vulnhub HackMePlease Walkthrough

So far you have learnt so many tricks in the Linux privilege escalation series. I didn't find enough examples for sudo. Keeping that in mind, here I am writing a walk-through on a web-to-root machine provided by vulnhub

I would recommend you first try out this machine – https://www.vulnhub.com/entry/hack-me-please-1,731/

I will leave the tasks to import the machine and find the IP using the Nmap ping scan for the netdiscover tool.

Reconnaissance

In my case machine, IP is 192.168.87.140. I am using Nmap to scan for open ports and running services on the machine

nmap -sV --min-rate 1000 192.168.87.140

This scan showed two open ports 80 and 3306

Since I couldn't find anything via directory busting, so I mind looking for information in the static assets and luckily find a path

On checking the path on the web at http://192.168.87.140/seeddms51x/seedms-5.1.22/ I found a login panel of the SeedDMS application. Since in the description it's clearly mentioned that brute force is not required and I still have to check for MySQL.

I found from the repository where exactly it stores its settings and configuration and confirmed using directory busting

gobuster dir \
-u http://192.168.87.104/seeddms51x \
-w /usr/share/wordlists/rockyou.txt \
-edrf \
-x php,html,cgi

Yes, the directory is /conf and the name of that file is settings.xml. Download the file using curl and hunt for db configurations in it

curl http://192.168.87.104/seeddms51x/conf/settings.xml -sL | grep -i db

Login to the MySQL using credentials from the above step

mysql -u seeddms -pseeddms -D seeddms --silent -h 192.168.87.104

There I found two tables that have users string in them – users and tblUsers. Since I was not able to crack the password, so I have updated the password of the admin user

-- md5("test") = d8e8fca2dc0f896fd7cb4cb0031ba249
UPDATE tblUsers set pwd='d8e8fca2dc0f896fd7cb4cb0031ba249' where login='admin'

This time I have managed to login the application successfully as admin using admin:test credentials

Initial Foothold

On searching for exploits, I found that the current version of this application is vulnerable to arbitrary file upload. This is a good start, I can upload my web shell and get reverse meterpreter

The exploit is available on exploitdb – https://www.exploit-db.com/exploits/47022 and CVE was assigned to this as CVE-2019-12744

Now I have to create the reverse shell payload from msfconsole and upload to the application

Now upload the shell file and obtain the document id

The URL of the uploaded shell might be different in your case. When I was exploiting the application, in my case it was http://192.168.87.140/seeddms51x/data/1048576/4/1.php

On running visiting this URL, immediately I got reverse connection and was able to obtain an interactive bash shell on the system

Privilege Escalation

While checking /etc/passwd for user enumeration, I found that there is a user which we encountered earlier in the MySQL table.

Since I am not on an actual tty session, so I used the python pty module to spawn a pty session

# https://netsec.ws/?p=337
$ python -c "import pty; pty.spawn('/bin/bash')"

I found that login was vulnerable to password reuse and managed to log in via saket user and the password from MySQL. Later I found the user has configured to run any command as ALL users via sudo. You can now use the command sudo bash to get the shell with root user permissions

If you want a refresher on sudo misconfigs, I have already published the posts – Understand Sudo in Linux and Exploiting Sudo Misconfiguration to Get Root Shell

NOTE: To log into any system user, you need to get the prompt from askpass utility which rely on pty or tty session