Hackme1

Hackme 1 Vulnhub Walkthrough

Enumeration

nmap

nmap -sC -sV -oA nmap/hackme1 192.168.1.109
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 19:15 EDT
Nmap scan report for 192.168.1.109
Host is up (0.00016s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
|   256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
|_  256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:0C:29:BA:01:E1 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.83 seconds

Dirb

Let's put the IP to the web browser

Got a login form

Then I click sign up now

After making an account and log in

Exploitation

SQL injection

I tried few tries of SQL injection and successfully got 1 injection using this command

Then I open up Burp and intercept the welcome.php page and send it to repeater.

Then I tried using UNION SELECT and test how many tables are available

The query make a response to us and it has 3 databases

Then I use this query to extract all the database name

We got few here to see what inside.

After extracting every databases, I found out that database that have interesting tables is webapphacking by usinig this query

2 table has been found which is books and users

After that, I extract both tables together using this query

Got a lot of things, let's copy it and put it inside a file

Then we can use sed to replace the comma to newline which the command looks like this

Then we can extract each of the columns name, found out the most interesting one is user and password

Then we got a very long result from the query, copy it to a file and use sed command to separate it properly

John

As we can see it is all md5 hash so we can put it to this website to crack cause john is cracking way too slow!

Then we can log in with the superadmin account

Got a website that leads us to upload a file

Reverse Shell

We can go to this website and grab the php reverse shell file

Then, we need to change the IP and the port inside the file

After that, upload to the server

Then, we go to the /upload directory that we discovered using dirb just now

First, we need to set up a listener at our machine

Our machine

As we can see here we got a file, click the reverseShell file

Privilege Escalation

Go to the /home/legacy directory and we can see a file called touchmenot

run the file and you will get root !

Congratulation !

PreviousGolden Eye 1NextStapler 1

Last updated

Was this helpful?