In this write up, will try to solve the 5th machine in the QUICK series of HackmyVM.
The machine got the IP address 192.168.0.163.
Let’s first perform the nmap scan to check open ports and services running on them. Again it has only 2 ports open 22(SSH) and 80(HTTP).
Let’s visit the web application in browser, it is quite similar to previous boxes.
When I clicked on “Make Appointment”, seems page is still under construction.
When the above page is open the address is http://customer.quick.hmv/ so added it in /etc/hosts file
Performed dirb as well as wfuzz on the IP, but the results is almost same. Then performed same scan on customer subdomain, but it did not give any useful result.
When I visited the website again, I noticed Carrers tab which when clicked, redirected to carrers.quick.hmv subdomain.
I decided to fuzz this using wfuzz. I got couple of hits.
Let’s visit the apply.php in browser. It provide us the ability to upload a file.
I tried to upload a php shell, but it only accepts either .php or .odt format.
I then searched for how to exploit the functionality, where we can upload .odt file. I came across this and this article. I follow these.
So I decided to first test if the file I am going to upload works for me or not. I created a document with simple macro which make the curl request to python server hosted on Kali machine.
Let’s host a python server on port 9090 and upload the file with macro.
I got request on python http server. This proves system is executing macros and we can now upload a exploit which gives us reverse shell.
Macro for reverse shell
Once macro is executed, got the reverse shell on Kali on port 9001.
When I executed the Linpeas, it shows some output related to mozilla firefox and also the machine has GUI enabled. So we should check for the firefox location which may contain encrypted username and password.
Let’s check the location /home/andrew/snap/firefox/common/.mozilla/firefox/ii990jpt.default/
I gizp the whole firefox directory and transfe it on kali machine. Using below command I got the username and password for adnrew.speed.
find . -name ‘logins.json’ -exec jq ‘.logins[] | .hostname, .encryptedUsername, .encryptedPassword’ -r {} \; | pwdecrypt -d .