Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Hash Walkthrough(php magic hashes, .Xauthority)

Very interesting machine from HackMyVm, can be download here.

Nmap scan ports.

图片.png


Check source code of index.html.

图片.png


Add ".bak" to the extension and scan files of port 80.

图片.png


Download check.bak and check source code.

<?php
// Login part.
$pass = $_POST['password'];
//marco please dont use md5, is not secure.
//$passwordhashed = hash('md5', $pass);
$passwordhashed = hash('sha256',$pass);
if ($passwordhashed == '0e0001337') {
//Your code here
}
else{
//Another code here
}
//To finish
?>


Here is php magic hashes. We can find some magic hash strings from google.

wget https://raw.githubusercontent.com/spaze/hashes/master/sha256.md


Login as user "marco" and password from the magic hashes. Then we get a ssh key.

图片.png


Download the file, remove extra spaces, and chmod 600, then we can login ssh as marco.

图片.png


In marco's home folder, file ".x" contains the password of marco.

图片.png


Find another user maria. And in maria's home folder, we find a script file. Also, we noticed .Xauthority file which is writable, but size is 0 now.

图片.png


Check myterm.sh, just called "xterm" on special display.

图片.png


Use pspy64, find cron job executes myterm.sh each miniute.

图片.png


What is .Xauthority? Ask google.

图片.png


Since .Xauthority store cookies of xterm, and maria's .Xauthority is writable, we may replace it with marco's .Xauthority.

Use rdesktop to login 3389 as user marco. Use the password we found in marco's home folder.

图片.png


Check id, we are marco now.

图片.png


Replace maria's .Xauthority file with marco's.

图片.png


After a while, in rdesktop, shows a new xterm windows, which id is maria. (Another way is to use "xhost +" command, told me by TataYoyo .)图片.png


Now we can create .ssh folder, upload our public key.

图片.png


Now we can login ssh as user maria.

图片.png


sudo -l.

图片.png


Check /usr/bin/c_rehash, it's a perl script file.

图片.png


Try to run it without any parameters. Nothing happened.

图片.png


Check the source code, we noticed c_rehash needs openssl.

图片.png


Check help page online, we confirmed that openssl is the key.

图片.png


Enter home folder of maria, create fake openssl, then run c_rehash. BOOM! Get root finally.

图片.png




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0