Hackmyvm: Connection machine write-up

Vishal
3 min readNov 27, 2022

Lets try to solve connection machine from hackmyvm.

Nmap to find all open ports on the machine.

nmap to find all open ports

Lets find service version.

Opened the website in the browser.It is apache default page.

Apache default page

Unable to find any interesting directory or file in web enumeration.

gobuster on the website.

As SMB is running on server port 139 and 445 is open, use smbclient to list shares.

smbclient O/P

I am able to access the share share without any password which is good. And inside share directory, there is a html directory and inside html there is index.html file.

I tried to put the reverse_shell.php file as I am able to write files into it. Lets start the listener on port 9001 on local host and access the reverse shell php file from browser.

accessing the php reverse shell from the browser to get the reverse shell

Got the reverse shell from the host

reverse shell

Used find command to find all the binaries with suid set.

find / -perm -u=s -type f 2>/dev/null

SUID binaries

As we can see, the suid is set for gdb which we can use to get the shell.As per gtfobins, use below command to get escalate the privilege to root.

gdb -nx -ex ‘python import os; os.execl(“/bin/sh”, “sh”, “-p”)’ -ex quit

root shell using gdb

Glance at the smb.conf file

Hope you like it. Bye!

--

--