I was away for a couple of days. I try to do some practice everyday; the first day I did SimpleCTF from THM on my phone (I had no computer with me) which was kind of a pain in the ass but I got it done; next day I did a little bit of OverTheWire. Now I’m home again and decided to do this one, because some guy on the VulnHub discord said:
Hacksudo 1.1 really hamring , quite difficult I took 2 day to solved
Well either he was having a bad day or I had a good one because it took me about 90 minutes.
This is HACKSUDO: 1.0.1 from Vulnhub. The page doesn’t indicate whether it was supposed to be difficult or not; I suspect not.
Ports
SSH on 2222, plus HTTP on ports 80 and 8080.
HTTP/80
There is a lot going on here; it’s designed around an online store. Stacks of pages - mostly PHP - many of which display the page source and show lots of stuff about MySQL which makes you think SQLi. I tried sqlmap on about three different things, but to no avail. Example:
etc.
HTTP/8080
We have Apache Tomcat. Putting aside the other port for a while, I try some default creds and bingo! we get a hit with tomcat:tomcat. Once we get that we can create a WAR file:
Then upload it with the browser and navigate to it to trigger our shell:
Vishal
Some poking around and looking in home directories etc reveals we probably need to become Vishal, but we don’t have a password (yet). Linpeas to the rescue:
We can then SSH in:
Hacksudo
I’d seen from linpeas that we had a cronjob running as hacksudo every minute:
*/1 * * * * hacksudo /home/hacksudo/./getmanager
And looking through the files it was obvious that the getmanager binary was calling this file: