Overview
Rated as difficult , but you just gotta enumerate more! Probaly hard because of the rabbit holes .
| Box Difficulty | Link |
|---|---|
| Hard | HackmyVM |
Recon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
┌──(root💀kali)-[/opt/hackmyv/zday]
└─# nmap -sVC -Pn -p 111,2049,21,22,3306,33393,39811,443,51765,56261,80 192.168.56.73
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-25 06:20 EDT
Nmap scan report for 192.168.56.73
Host is up (0.00033s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 ee:01:82:dc:7a:00:0e:0e:fc:d9:08:ca:d8:7e:e5:2e (RSA)
| 256 44:af:47:d8:9f:ea:ae:3e:9f:aa:ec:1d:fb:22:aa:0f (ECDSA)
|_ 256 6a:fb:b4:13:64:df:6e:75:b2:b9:4e:f1:92:97:72:30 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 34997/tcp6 mountd
| 100005 1,2,3 38351/udp6 mountd
| 100005 1,2,3 39811/tcp mountd
| 100005 1,2,3 56988/udp mountd
| 100021 1,3,4 33393/tcp nlockmgr
| 100021 1,3,4 37949/tcp6 nlockmgr
| 100021 1,3,4 53093/udp nlockmgr
| 100021 1,3,4 57780/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
443/tcp open http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 93
| Capabilities flags: 63486
| Some Capabilities: SupportsLoadDataLocal, DontAllowDatabaseTableColumn, IgnoreSigpipes, Support41Auth, Speaks41ProtocolOld, Speaks41ProtocolNew, InteractiveClient, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsCompression, SupportsTransactions, LongColumnFlag, ODBCClient, FoundRows, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: nDFs1:k2R)r(kb-VLXW*
|_ Auth Plugin Name: mysql_native_password
33393/tcp open nlockmgr 1-4 (RPC #100021)
39811/tcp open mountd 1-3 (RPC #100005)
51765/tcp open mountd 1-3 (RPC #100005)
56261/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:10:C2:72 (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.24 seconds
Okay, there’s really alot of ports! Begin enumeration.
HTTP- TCP 80
Website Enum:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root💀kali)-[/opt]
└─# gobuster dir -u http://192.168.56.73:80 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 -e -k -s 200,204,301,302,307,403,500 -x txt,html,php,jsp -o gobuster_p80.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.73:80
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,html,php,jsp
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2022/03/25 06:14:32 Starting gobuster in directory enumeration mode
===============================================================
http://192.168.56.73:80/index.php (Status: 302) [Size: 0] [--> /fog/index.php]
http://192.168.56.73:80/index.html (Status: 200) [Size: 10701]
http://192.168.56.73:80/fog (Status: 301) [Size: 312] [--> http://192.168.56.73/fog/]
http://192.168.56.73:80/server-status (Status: 403) [Size: 278]
===============================================================
2022/03/25 06:19:46 Finished
===============================================================
Enumerating it we can see it host Fog project. 
Default credentials can be found from the wiki page: 
and we are in! 
Did found an exploit to do file upload + rce however that was a dead end for me :(
1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[/opt]
└─# searchsploit fog
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Fog Creek Software FogBugz 4.0 29 - 'default.asp' Cross-Site Scripting | asp/webapps/27071.txt
FOG Forum 0.8.1 - Multiple Local File Inclusions | php/webapps/5784.txt
FOGProject 1.5.9 - File Upload RCE (Authenticated) | php/webapps/49811.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
Instead, further enumeration found that we have a password that we can reuse:
Shell as fogproject
Looks like we can’t ssh into the server because of some configuration but FTP is possible:
What is interesting here is that we are probably in the fogproject home folder.
So there’s probably a script in one of those file that stopping us from getting a shell, and that scripts is found in .bashrc
What is .bashrc:
The .bashrc file is a script file that’s executed when a user logs in. The file itself contains a series of configurations for the terminal session.
Let’s download the .bashrc and see what is inside:
exit 1 is seen at the end of the script. Remove the line and upload the file back. Retry SSH.
And this time we are logged in as fogproject! 
Shell as Root
Running linpeas, we can exploit the NFS weak system configuration as there is no_root_squash , basically means whatever in a writable share configuration, a remote user who identifies as “root” can create files on the NFS share as the local root user.
Let’s mount the folder and upload an exploit to make us root: 
Rooted :)