Hey folks ! Today I’m going to write a complete write-up for Zday VM created by sml on HackMyVm. It’s hard level machine, but if you know how things works then it will be easy for you. Lets get started.
1. ) Nmap Scan & Enumeration
The IP address was displayed on the login of the VM, which is great and we don’t need to run netdiscover to find the IP address of the VM
The IP address is 192.168.1.3, After that I fired Nmap to get the list of open ports.
Nmap shows a bunch of open ports on the VM. Let’s take a look at NFS.
showmount command shows that there are some shares on the VM which we can mount on our local machine.
For now I’m moving towards the web part and I’ll keep this NFS thing back in my mind, may be I use it later.
2. ) Web Enumeration
The Web page seems to be a default page of appache installation.
I fired gobuster tool to get the directories on the web server and I get an interesting file index.php which is redirecting to an directory ‘fog’
Lets have a look at index.php. It seems a web application running as FOG Project. It’s an opensource project that you can find on github too.
So as it is an opensource project I searched on google for the default credentials of the FOG Project and I got the following results.
With the help of default credentials I was able to successfully login to the web application.
And at storage tab I got the username and password.
May that user ‘fogproject’ is a system user and we can connect to ssh with the provided password.
fogproject : 84D1gia!8M9HSsR8gXau
3. ) Initial Footholds
With the credentials that I found on the web server I tried to login via ssh, but it seems like a script is blocking us to get bash shell and we cant connect to ssh with fogproject user.
we can’t connect bash shell, but we can connect to sh shell. Lets bypass the script.
I used -t option to run /bin/sh shell and with that command I bypassed that script and got a shell of fogproject user.
4. ) Privilege Escalation
If you remember that NFS is running on the VM, so I opened the exports file to see the configurations and I got something interesting.
no_root_squash in enabled in NFS share. If some of you don’t know that how we can escalate our privileges with NFS and no_root_squash property then read this blog
I came back to my local machine and for further tasks I need to be root.
I mounted the dev share on my local machine and copied bash into that share as root and after that I give it a SUID permissions.
Back on the victim machine I changed my location to that dev share directory and I found bash with SUID set and by execution of bash I got root privileges.
I successfully rooted this box and got the root.txt flag.