Bah

When starting the machine, it displays its IP address.

IP of the victim machine

We'll start by conducting a quick NMAP scan to see which ports the target machine has open.

sudo nmap -sS -p- --min-rate 4500 -n -Pn 192.168.18.184

Now that we know the open ports, we'll perform a more intensive scan on those ports to identify the version and additional characteristics.

nmap -sCV -p80,3306 -n -Pn 192.168.18.184 -oN target
NMAP scan

Upon entering the website hosted on port 80 (HTTP), we encounter a login screen.

Login screen

I've found that the qdPM version is vulnerable to Cross-site Request Forgery (CSRF), and the password is exposed.

I search for vulnerabilities in qdPM on searchsploit

The username and password can be found in this directory:

Path where the username and password are located
We obtain the file
User and password

Now we log in, but not on the website since we don't have an email, but through port 3306 (MySQL) to access the database hosting the victim machine.

We are inside the database

I select the 'hidden' database:

We find 2 tables: 'url' and 'users':

On one hand, in the 'users' table, we find IDs, usernames, and passwords.

On the other hand, in the 'url' table, we obtain a list of URLs.

We'll save all the information obtained in a file.

To start, we'll use WFUZZ to see which URL can serve as the domain name:

wfuzz -c -w URLs.txt -u 192.168.18.184 -H "HOST: FUZZ"

We notice that 'party.bah.hmv' is different from the rest. So, we add it to the /etc/hosts file to make our machine recognize that domain with the corresponding IP.

sudo nano /etc/hosts
/etc/hosts

And now we access.

It prompts us to log in. I decide to use the username and password we obtained earlier.

User: qpmadmin
Password: qpmpazzw

And we're in. Now, I'm going to set up a Reverse Shell to have a more comfortable view. Additionally, I'm configuring the TTY.

Let's enumerate the users on the victim machine:

cat /etc/passwd | grep /bin/bash
Users in the machine

We see a user named rocio, which is present in the table we downloaded earlier from the database.

Rocio password

We switch to the rocio user and obtain the user flag.

User flag

It's time to start with the privilege escalation to become the root user.

To do this, we'll use pspy64, which is a monitoring tool for Linux systems that helps detect important activities and processes discreetly. We download it from here on our local machine: pspy64

Then, using netcat, we'll transfer the program from our local machine to the victim machine.

Victim machine:

nc -lvnp 8888 > pspy64

Local machine:

nc 192.168.18.184 8888 < pspy64

And we grant permissions to pspy64.

The time has come to run pspy64. And we come across this:

Result upon running pspy64

It's a command line that executes shellinaboxd, a server that provides a browser-based web terminal. This service allows command line access through a web browser using the HTTP protocol. We observe that the root is running what is in /tmp/dev when someone accesses the /devel directory. Here in the shellinaboxd manual, we can see how it works:

Manual for shellinaboxd

So, I'm going to create a file named dev in the /tmp directory where it sends a Reverse Shell, allowing quick access to the root user.

Contents of the 'dev' file

And we grant permissions:

chmod +x dev

Now we access the /devel directory.

And we receive the Reverse Shell without any issues.

We are root

We obtain the root flag, and there you go, we have successfully completed hacking the machine.

Last updated