Hello Everyone, In this blog i am going to post walkthrough of hackme 1.
This Machine is for beginners.
Let’s Start,
Target IP- 192.168.43.19
Attacker IP- 192.168.43.139
Let’s start with nmap.
nmap -sC -sV -p- -Pn 192.168.43.19
Ok, There are two ports open
22 – ssh
80 – http
Let’s see what is running on port 80.
So, we got a Login Page.
we also have a Sign up page.
So, I filled the form and Logged in.
So, this is a online Book Catalog page.
There is a search box So, I searched for a book and i captured it in the Burpsuite.
So, i saved the request in to a file “hackme.txt”.
As There is input parameter “Search=” Thought of doing sqlmap on it. To find if we can get access to the Database.
sqlmap -r hackme.txt –dbs –batch
Here, We go the databases.
Lets check webapphacking,
sqlmap -r hackme.txt -D webapphacking –dump-all –batch
We got the usernames and passwords.
Here, superadmin looks interesting but the passwords are encrypted.
Looks like they used MD5 to encrypt it.
Let’s decrypt the password of superadmin.
here it is we got the password.
username : superadmin
password : Uncrackable
Let’s login in the web page.
Ok, we Logged in.
There is file upload option, so i thought of uploading a php reverse shell file to get the Shell.
This is PHP file to upload.
Before that Let’s start Listener .
nc -nlvp 1234
Ok, The file got uploaded.
Now, we have to execute it to get reverse shell.
It, says the file got uploaded in upload folder.
Let’s check upload directory.
Here is the file, lets open it and check the listener
We got the limited shell.
To get interactive shell we use python,
python -c “import pty;pty.spawn(‘/bin/bash’)”
Now we need root access, I explored all the directories and i found an executable file “touchmenot” in /home/legacy Directory.
So, i Executed the file.
Here, I got the ROOT access!!
Writer: Anudeep is Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.