Vulnhub HackMePlease Walkthrough
In this, you will learn how to get an initial foothold through the web application and exploit sudo to get the privileged shell
So far you have learnt so many tricks in the Linux privilege escalation series. I didn't find enough examples for sudo. Keeping that in mind, here I am writing a walk-through on a web-to-root machine provided by vulnhub
I would recommend you first try out this machine – https://www.vulnhub.com/entry/hack-me-please-1,731/
I will leave the tasks to import the machine and find the IP using the Nmap ping scan for the netdiscover tool.
Reconnaissance
In my case machine, IP is 192.168.87.140. I am using Nmap to scan for open ports and running services on the machine
nmap -sV --min-rate 1000 192.168.87.140
This scan showed two open ports 80 and 3306
Since I couldn't find anything via directory busting, so I mind looking for information in the static assets and luckily find a path
On checking the path on the web at http://192.168.87.140/seeddms51x/seedms-5.1.22/ I found a login panel of the SeedDMS application. Since in the description it's clearly mentioned that brute force is not required and I still have to check for MySQL.
I found from the repository where exactly it stores its settings and configuration and confirmed using directory busting
gobuster dir \
-u http://192.168.87.104/seeddms51x \
-w /usr/share/wordlists/rockyou.txt \
-edrf \
-x php,html,cgi
Yes, the directory is /conf and the name of that file is settings.xml. Download the file using curl and hunt for db configurations in it
curl http://192.168.87.104/seeddms51x/conf/settings.xml -sL | grep -i db
Login to the MySQL using credentials from the above step
mysql -u seeddms -pseeddms -D seeddms --silent -h 192.168.87.104
There I found two tables that have users string in them – users
and tblUsers
. Since I was not able to crack the password, so I have updated the password of the admin user
-- md5("test") = d8e8fca2dc0f896fd7cb4cb0031ba249
UPDATE tblUsers set pwd='d8e8fca2dc0f896fd7cb4cb0031ba249' where login='admin'
This time I have managed to login the application successfully as admin using admin:test credentials
Initial Foothold
On searching for exploits, I found that the current version of this application is vulnerable to arbitrary file upload. This is a good start, I can upload my web shell and get reverse meterpreter
The exploit is available on exploitdb – https://www.exploit-db.com/exploits/47022 and CVE was assigned to this as CVE-2019-12744
Now I have to create the reverse shell payload from msfconsole and upload to the application
Now upload the shell file and obtain the document id
The URL of the uploaded shell might be different in your case. When I was exploiting the application, in my case it was http://192.168.87.140/seeddms51x/data/1048576/4/1.php
On running visiting this URL, immediately I got reverse connection and was able to obtain an interactive bash shell on the system
Privilege Escalation
While checking /etc/passwd for user enumeration, I found that there is a user which we encountered earlier in the MySQL table.
Since I am not on an actual tty session, so I used the python pty module to spawn a pty session
# https://netsec.ws/?p=337
$ python -c "import pty; pty.spawn('/bin/bash')"
I found that login was vulnerable to password reuse and managed to log in via saket
user and the password from MySQL. Later I found the user has configured to run any command as ALL
users via sudo. You can now use the command sudo bash
to get the shell with root user permissions
If you want a refresher on sudo misconfigs, I have already published the posts – Understand Sudo in Linux and Exploiting Sudo Misconfiguration to Get Root Shell
NOTE: To log into any system user, you need to get the prompt from askpass utility which rely on pty or tty session