Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Driftingblues5 Walkthrough

A not so easy machine made by tasiyanci, can be download here.

Thanks tasiyanci for the hints.


Nmap scan ports, 22 and 80.

图片.png


Open port 80, it's a wordpress site.

图片.png


Wpscan the site, found some usernames, but no vulnerable plugins.

wpscan --url http://192.168.56.67 -e u,ap,at --no-banner --no-update --api-token my_token --plugins-detection aggressive --force

图片.png


Generate a dic from the site.

图片.png


Use wpscan or hydra to bruteforce wordpress login name:pass.

图片.png


Login wordpress, find gill is a normal user, with no right to modify theme template.

In media folder, find a strange picture, which is not attached.

图片.png


Download the picture and check strings, find a ssh password for gill.

图片.png


Login ssh as gill, in home folder, find a keyfile.kdbx.

图片.png


The file is a keepass2 database, which could be decrypted with keepass2john and john. Buf I tried a lot times and failed. I discussed with author, maybe it's because my linux terminal encoding problem.

So I make a simple bash script to decrypt it, which use kpcli. The time will be more than one and a half hour on my machine, if decrypt with rockyou.txt. Here I just use a shorter dic supplied by the author.

cat /usr/share/wordlists/rockyou.txt |while read line  
do
  echo $line
  out="$(echo $line|kpcli --command='open keyfile.kdbx' 2>&1)"
  res="$(echo $out|grep 'invalid')"
  if [ "$res" = "" ]; then
    echo "The correct password is $line"
    break
  fi
done

图片.png


Use keepass2 to open the file, find 6 entry.

图片.png

Check the root folder of the machine, find a strange folder, which is empty now.

图片.png


Upload pspy64 and run, find that, each minute, the root runs a script.

图片.png


In fact, the key.sh is finding some file in /keyfolder, and only one file.

Try to create new file with name from the keyfile.kdbx. Once we get the right name, we'll get a new file.

图片.png


The root password is in the file. Then we can get root.

图片.png

  • 评论列表
  •  访客
     发布于 2021-03-03 13:15:52  回复该评论
  • 兄弟,hackmyvm的baseME可做出来了?我做到首页的base64解码之后就卡住了

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1