You can start playing there > HackMyVM
Summary
I found this really cool lab, similar to vulnhub but has point system/ranking etc. I suggest you to try this out, 101% worth it. We start by finding a share on SMB that we can connect as anonymous and we can upload our shell there this gives us a shell as www-data. Privesc to root is a simple SUID exploitation. Let’s pwn it!
Enumeration/Reconnaissance
Let’s start as always with nmap.
1 |
|
Let’s start with SMB, as always let’s list the shares.
1 |
|
Let’s connect to share
:
1 |
|
We have access to web content, we can simply upload our shell and execute it!
Shell as www-data
1 |
|
1 |
|
Shell as root
If we search for SUIDS, we can see gdb
is set as SUID we can simply exploit this to get root shell:
1 |
|
1 |
|
Let’s read the flags:
1 |
|
Good one!