HackMyVm Soul Walkthrough.(ngnix bad config, privilege escalation through agetty)

(英语写几篇,便于国际友人搜索浏览。都是简单句,国内的同学看着应该也不太费劲。)


A very tricky VM, level is hard, can be download here.


First, use nmap to scan ports.

图片.png


Gobuser to bruteforce folders and files at port 80, found nothing.

图片.png


There's only one image at index.html.

图片.png


Download and extract pass.txt from the jpg file.

图片.png


Use hydra to brutefoce ssh user's name.

图片.png


Logged in as user daneil through ssh, but the bash is restricted.

图片.png


Again, logged in with "-t"option to bypass resctricted bash.

ssh daniel@192.168.56.35 -t "bash --noprofile"

There are three users in home directory. And the user flag is in gabriel's home. So, we need to escalate to other user.

图片.png

Here is the most tricky part. As user daniel, I spend a lot of time browse the VM, but found nothing.  Then I asked for help from this great guy @d4t4s3c.  In /etc/nginx/sites-available, we can find a URL name: loneysoul.hmv.

图片.png


In fact, if we put some php into /var/www/html, and access it directly through IP, it will not be interpreted. But if called from lonelysol.hmv/xxx.php, it will be interpreted. And, the author did want us to get www-data user as the second user, but not the other two in /home folder. 


Upload a reverse shell php file in /var/www/html, and curl it through url, we get reverse shell of user www-data.

图片.png


User 'www-data' can sudo /tmp/whoami, so we create a file named whoami in /tmp, and code is: bash.

图片.png


Sudo to user gabriel, and now we get the user flag.

图片.png


Continue, user "gabriel" can sudo hping3, then escalate to user "peter".

图片.png


Here is the second hard part. We can find that /usr/sbin/agetty maybe an useful file for privilege escalation, so I googled a lot, but found no answer.

图片.png


Thanks for the great spanish guy @d4t4s3c. Here is the magic cmd:

/usr/sbin/agetty  -o -p -a  root -l /bin/bash tty

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年12月    »
1234
567891011
12131415161718
19202122232425
262728293031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2