This walkthrough is a part of my OSCP journey. I really enjoyed pwning this VM.
Hope you have set up your VM in bridged mode.Let’s get started.
First as usual an Nmap scan to find the ip of our VM. Note that my ip range is from 192.168.1.x. Your’s might be different.
As you can see the Vm is running on 192.168.1.142. Now lets nmap it find the open ports
There seems to be a web server running on port 80. Let’s check that out
Nothing interesting .Lets view the source
Well there seems to be a gif image.Let’s download and analyze it.
While checking the meta data through exiftool there was something interesting.(For those who dont know what meta data is,it’s a data about data like file size,name,format,resolution etc)
Hmm… There seems to be a weird looking string in comment. Since we didnt have much clue on the website and when i checked for robots.txt,it wasn’t there so checked if it was a subdir of the website and well… it was a subdir.
It has a form field key and nothing else.Tried poking around with some random string to check what happens.
And it gave a message invalid key. I tried bruteforcing it with some dictionaries. I’ve used a dictionary from dirb in the screenshot Rockyou can even be used but I’ve used dirb big.txt since it’s shorter than rockyou.txt in hydra.
That’s the syntax for hydra. We are sending a post request with key as parameter which has to be bruteforced.
After hydra finds the pass we try it on the field and it gives yet another page
I tried ‘ which didnt have any effect it just gave me successful message.(‘ is a test for sqli)
I again tried with “ and Voila we got an SQLI
Then I ran sqlmap on the url
The DB can be manually checked one by one for valuable info. I’m running it on seth since I’ve checked the rest.
Sweet! Users,Now lets dump the columns.
Nice, We’ve got the User and pass columns let’s dump it.
The pass field seems to be base64 encoding.When decoded it gave an md5 hash which later when checked on md5killer gave omega as password. Now lets try on the website form
Nothing useful. If you’ve checked the nmap scan in our enum phase you’ve would have noticed an ssh running on 777 which normally runs on 22.
We can try using the username and password there and check if it works
yep,it worked it gave a bash with ramses user . It had a normal user privilege.
Check the rest on my second article.
