Lets try to solve connection machine from hackmyvm.
Nmap to find all open ports on the machine.
Lets find service version.
Opened the website in the browser.It is apache default page.
Unable to find any interesting directory or file in web enumeration.
As SMB is running on server port 139 and 445 is open, use smbclient to list shares.
I am able to access the share share without any password which is good. And inside share directory, there is a html directory and inside html there is index.html file.
I tried to put the reverse_shell.php file as I am able to write files into it. Lets start the listener on port 9001 on local host and access the reverse shell php file from browser.
Got the reverse shell from the host
Used find command to find all the binaries with suid set.
find / -perm -u=s -type f 2>/dev/null
As we can see, the suid is set for gdb which we can use to get the shell.As per gtfobins, use below command to get escalate the privilege to root.
gdb -nx -ex ‘python import os; os.execl(“/bin/sh”, “sh”, “-p”)’ -ex quit
Glance at the smb.conf file
Hope you like it. Bye!
