Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Attack Walkthrough (very interesting!)

A very interesting CTF VM from HackMyVm, can be download here.


nmap ports scan.

图片.png


At 80 port, index.html has useful message.

图片.png


Wireshark capture file has extension: pacp. Add it to the folder/file brutefore options.

gobuster dir -u http://192.168.56.43 -t 50 -x .html,.php,.txt,.pcap -w /usr/share/dirbuster/worlists/directory-list-2.3-medium.txt -b 400,403,404,500 --wildcard -o 80.log


Found capture.pcap.

图片.png

Download it and open it with wireshark. First, we can find "teste:simple" name/pass couple.

图片.png


Then, we noticed a file named "mysecret.png".

图片.png


Third, we noticed a file named "filexxx.zip".

图片.png


We can log in ftp as teste now. It look like the home folder of teste.

图片.png


In parent folder, we can see the other two users.

图片.png


The note.txt says: I need to find the file.

图片.png


That's all for ftp, now we need to get ssh login. We try to directly visit filexxx.zip from port 80, and there did has a filexxx.zip.


图片.png


Unzip it, we get a file named "id_rsa", which belongs to teste.

图片.png

But infact, we can do nothing with user "teste" for now. So we need to find other ways. The size of filexxx.zip we download form port 80 is 1.5k.

图片.png


But the size of filexxx.zip in wireshark capture file is 38k. Apperently, the two filexxx.zip have same name, but different content.

图片.png


We can export filexxx.zip from wireshark using: File --> Export Objects --> Http.

图片.png


Give it a new name and unzip it, we get an image: mycode.png.

图片.png


It's a QR code. Decode it online, we get an internet address.

图片.png


Wget the file as user teste.

图片.png


Now we have the private key of jackob. We can ssh in as user jackob.

图片.png


Sudo shows jackob can run a bash script and su to kratos.

图片.png


But jackob has no wirte permissions to edit the file.

图片.png


Directly change the file content failed.

图片.png

 

But if we create another file, we can move the file to overwrite attack.sh. So we create a.sh, which has only one piece of code "bash".

图片.png


Overwrite attack.sh.

图片.png


Sudo run, and we are kratos now.

图片.png


Kratos can sudo run cppw.

图片.png

Help says cppw can replace passwd file.

图片.png


We generate a password hash.

图片.png


Then copy /etc/passwd to /tmp, and add a new line with name "windy" and root permissions.

图片.png


At last, we get root.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0