Breaking News



That is the HackMyVM Keys Walkthrough.

Internet Enumeration

The webserver is hiding eye-catching knowledge, it took a couple of other lists from seclists to seem out one thing superb. What we do to go looking out is a document readme.php and that means we will be able to examine additional.

gobuster dir -r -u http://10.0.50.79/ -w /usr/proportion/seclists/Discovery/Internet-Content material subject material subject material/directory-list-2.3-small.txt -x php

The primary web internet web page we run into says to READ the web internet web page, so I check out up on the net internet web page supply code and to go looking out some base64. The decode to seem a hidden tick list my_personal_wordlist.txt. We can finally in spite of everything finally end up interpreting more than a few issues on this walkthrough. Hanging that string all the way through the browser we discover a wordlist, that is remember that point out to be helpful for bruteforcing.

Fuzzing PHP Parameters

What does that point out? Fuzzing PHP parameters is a troublesome process, however person who you need to learn how to develop into a moral hacker. It will just about definitely turn out to be useful in taking the OSCP examination too, who is aware of. Take a at hand knowledge a rough glance each and every other educational for PHP param fuzzing. This will give you some additional follow. That was once once a truly best possible field and I like to signify it.

With wfuzz I get pleasure from –hh BBB to filter out in order that we don’t get the annoying message for each and every web internet web page. Filters like those may also be constructed towards a reference HTTP reaction, referred to as the “baseline”. What’s the baseline enter in wfuzz? They’re {baseline enter} irrespective of is integrated inside the ones brackets. As an example, the former command for filtering “no longer discovered” belongings the use of the –hh transfer can have be accomplished with the next command: wfuzz -c -z document,pw –hh BBB http://10.0.50.79/readme.php?FUZZ{stfu}=../../../../../and so on/passwd

More or less the principle the reason why, if no longer unquestionably indubitably one in every of them, for PHP param fuzing is searching for LFI (Native File Inclusion) vulnerabilities. Extra continuously than no longer in truth whilst you run into an oddly-named php document corresponding to readme.php on this case, then the supposed vulnerability is in step with LFI or RFI.

Let’s come with this common sense into the fuzzing and search for skilled params that check LFI. We discover one and use it to offload the document of usernames all the way through the far off /and so on/passwd document. Superb fortune!

There is also otherwise to take this and that’s the reason to test the code of the readme.php document, however we will be able to best possible do this by way of PHP filter out wrapper. We discover alternatively each and every other base64 string, which we will be able to in brief decode.

http://10.0.50.79/readme.php?34sy=php://filter out/convert.base64-encode/useful helpful useful resource=readme.php

Now we have now now a touch about Z85, one of those encoding. Interpreting the string leads us to a brand new endpoint at the webserver. Now we have now now a brand new trace about there being a zipper document as smartly. So we obtain each one of those and try them since there are millions of them, what??

A easy script in Bash checks each and every document for variations and there is also one, however it is only a word. On the other hand, it method we will be able to to go looking out the important issue via that 4695 quantity all the way through the id_rsa zip document. Did I point out you need to acquire that zip document?

THE HACKMYVM KEYS WALKTHROUGH

Now we connect with the objective the use of the RSA SSH key.

Privilege Escalation

So far as Linux privilege escalation is going, this was once once a very distinctive vulnerability. We discover a GPG personal key and each and every other eye-catching document all the way through the quick tick list once we login as stephen. I get pleasure from John at the document and crack it to expose the catchphrase. You’ll be able to want this for the following steps!

cat /var/mail/private_key.gpg 
                               
gpg2john privkey > crackme
john --w=/usr/proportion/wordlists/rockyou.txt crackme

The whole steps are to import the important issue and decode the encrypted message. This will most likely display the foundation password and your next step is trivial to login.

THE HACKMYVM KEYS WALKTHROUGH

And it’s rooted.


Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X