March 12, 2017

VMware Workstation + Archlinux = nightmare

Hi all,

This is a quick one. I think lots of active Arch users struggle a lot with every kernel update to run VMware Workstation. Unfortunately awesome vmware-patch from AUR ( not always helpful.

Here is some advise how to fight against several errors:

1. Error: /usr/lib/vmware/modules/source/vmmon-only/linux/hostif.c:1165:13: error: too many arguments to function ‘get_user_pages’

I saw this after kernel upgrade to 4.7. I used this link ( with solution to recompile required modules.

2. Errors: /vmmon-only/linux/hostif.c:1592:47: error: ‘NR_ANON_PAGES’ undeclared (first use in this function)
/vmnet-only/netif.c:468:7: error: ‘struct net_device’ has no member named ‘trans_start’

These 2 errors you can see after upgrade to 4.8. Here is handy solution with sed:

3. Error: /tmp/modconfig-HDxzxN/vmmon-only/linux/hostif.c:1166:13: error: too few arguments to function ‘get_user_pages_remote’

This error you will see after upgrade to 4.9. Here is a thread about this error with solution. You can use script from TobInover to fix an issue.

I wish all the best, waiting for new kernel updates:)

Hackademic RTB1

   Here is the time for another walkthrough - Hackademic RTB1.
You can download iso from awesome vulnhub -,17/

1. As usual we started with netdiscovery:

2. Nmap was the next step:

3. I spent some time on web server and found out that it used outdated wordpress. So next step was to run WPScan.

I tried both SQL Injections from list but no luck. So I went through different parameters to find maybe there were other vulnerabilities. I found out that cat parameter was vulnerable. Instead of using sqlmap I did initial steps myself. I used UNION SELECT to reveal amount of columns: and sleep(0) UNION SELECT 1,2,3,4,5

I revealed that there were 5 columns and second column had varchar type. The tricky part here is to understand why you need to add sleep(0):)
If you stuck, see a good video from ub3rsec - about manual SQL Injection.

4. Extracted user information from DB using sqlmap:

sqlmap -u '' -T wp_users --dump

Also sqlmap suggested to run dictionary attack against extracted hashes and successfully cracked them all:

5. User GeorgeMiller had admin privileges in wordpress. I used this link to login:
Next step was to enable file upload functionality in Miscellaneous, allowing PHP files to be uploaded:

6. To obtain shell I used PHP reverse shell from Kali webshells folder. I opened port on my machine and caught connection. Next step was to elevate privileges.
I spawned normal shell using python (python -c 'import pty; pty.spawn("/bin/sh")') and after a bit of enumeration found kernel version:

7. I used exploit suggester for this kernel. You can find this program here -
The output was:

I tried several exploits before succeeded with rds.
I ran python built-in web server on my machine using: python2 -m SimpleHTTPServer 8080

8. I downloaded and compiled exploit on victim machine:

and got root:

   Thanks to p0wnbox.Team for this challenge.
   I think this box has intermediate level of difficulty, however if you do everything using only automated tools it would be much easier.