Lets solve hackmyvm pwned machine.
Port scan to find open ports and running services.
Find services running on the ports
Lets run gobuster to enumerate the directories and files on web server.
The directory hidden_text seems interesting lets visit it using browser.
I have created a file using above list and again used gobsuster to enumerate directories and files on web.
It shows below page when opened in browser.
I tried all the default username and passwords, but no luck. Then I check the source of the web page and it shows me something important.
If you remembered during nmap, we saw port 21(FTP) was open, used these creds to login into ftp and found below files.
Downloaded both the files and the contents of note.txt is
This provide us the potential username and we have id_rsa file. Used this info to ssh into the system as user ariana.
I use sudo -l to see which command I can run on the box.
The O/P of command shows we can run a script “messenger.sh” with user selena without password.
As we can see, the i/p of the message is directly passed to the command and errors are redirect to /dev/null. Tried to inject bash command and got the shell as user selena.
Lets python to get the better shell.
id and groups commands show that selena is the member of the docker group. When I check on gtfobins, it shows way to mount the /root file system on inside the container. I also use docker images command to check the images present on the system.
As per gtfobins, used the command
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
The above command run the image alpine.
The -v option mount the “/” of the host machine on “/mnt” of container .
— rm option means automatically remove the container when it exits.
- it option provides the interactive shell of the container.
- chroot is the linux command to change root file system to /mnt and sh is the shell.
As you can see, we are into the container and have interactive shell on the docker container.
We can now able to access the mounted file system of the host machine.
I tried to change or add my own root user into the /etc/passwd file of the host but failed to do so to get the permanent access to the host machine but failed to do so. Please let me know how can I do that in the comments.
Hope you like this write-up.