Method

To find the IP of the victim machine, I use the arp-scan command to discover the devices connected to my local network and locate the one whose MAC address starts with 08:, indicating it is a VirtualBox virtual machine.

sudo arp-scan -I eth0 --localnet

Next, we proceed with a quick scan using NMAP to see which ports are open.

sudo nmap -sS --min-rate 4500 -n -Pn 192.168.18.163

Ports 22 and 80 are open

And now we perform a more detailed scan on those open ports and save the result in a file called target.txt.

nmap -sCV -p22,80 -n -Pn 192.168.18.163 -oN target.txt

Detailed scan of the open ports

We observe a website hosted on this machine via port 80, but only the default homepage is visible.

I use Gobuster to enumerate hidden files and directories. We find a file called note.txt that tells us the solution is to enumerate.

gobuster dir -u http://192.168.18.163/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200 -b "" --exclude-length 3690 -x html,txt,xml,bak

Enumeration of hidden files

I decide to continue enumerating more directories and files (zip, htm, php, c). I come across the directory index.htm, which contains the following:

Enumeration of hidden files

Upon inspecting the page source with Ctrl + U, we notice a hidden form that calls a file named secret.php and uses the GET method. It includes an input name "HackMyVM".

Content of the hidden form

I'm going to send a request with all the data collected earlier.

Send a request

It tells us to use another method. To do this, I'll use the POST method. In Burp Suite, we have an option to convert from GET to POST and vice versa with just the click of a button.

Send a request with POST method

It says we already found it, so let's put some value in the request.

And we see that we have access to the victim machine as the user www-data (the web server user). I'm going to send myself a Reverse Shell and handle the TTY.

We're inside the victim machine

Now that we're inside, let's enumerate the existing users on the machine.

cat /etc/passwd | grep /bin/bash

Existing users

We find the user prakasaka and the root user.

I decide to go to the directory of prakasaka and we see that we can read the User Flag as www-data.

We obtain the User Flag

But let's not get ahead of ourselves, the next thing we should do to escalate privileges is to read the file secret.php, and we find the password for the user prakasaka.

We obtain the password for the user prakasaka

We're prakasaka

Now it's time to escalate privileges to root. To do this, we execute the command sudo -l to see the commands that prakasaka can run with sudo privileges.

Privilege escalation via the ip binary.

We can execute /bin/ip as root, so let's go to GTFObins and run the commands it shows us to escalate to root. In this case, we will use the following commands:

sudo ip netns add foo
sudo ip netns exec foo /bin/sh
sudo ip netns delete foo

And there we go, we're now the root user and can obtain the Root Flag.

We obtain the Root Flag