Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Eighty Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Eighty


Interesting machine, thanks sML@HackMyVm.

Scan ports.

图片.png


Port 80 is unavailable right now. Port 70 is not http, but gopher (which is not familiar).

We can use firefox to visit port 70. Also, we can use "gopher" client.

图片.png

Download howtoconnect.txt and check it.

图片.png


It's like knock-knock ports. We do knocking.

sudo hping3 -S 192.168.56.100 -p 4767 -c 1;sudo hping3 -S 192.168.56.100  -p 2343 -c 1; sudo hping3 -S 192.168.56.100  -p 3142 -c 1


Scan ports again, port 80 is now open.

图片.png


Scan port 80, from robots.txt, we get nginx server config file.

图片.png


Add henry.eighty.hmv and susan.eighty.hmv to /etc/hosts, and scan both vhost.

Now we know there is  lostpasswd.txt at http://susan.eighty.hmv/web/.

And we get password of susan.

图片.png


We need to get .google-auth.txt. But from nginx config file, we know that we can't directly visit /home/susan/secret/.

We can use a classic "double dot" error of nginx.

图片.png


Install "google authenticator" app on mobile phone or simulator, enter the secret key of first line.

Then we can get a time-based verification code.

图片.png


Ssh login as susan, enter password from "lostpasswd.txt", and enter verification code from google authenticator.

图片.png


Search SUID file, there is a file named "doas". And there is no sudo.

From google, we know doas have same functions of sudo.

图片.png


In order to know how to run doas, we search file that has "doas" in filename.

Then we can know there is doas.conf.

图片.png


From the conf file, we know we can only run gopher, which is client of a gopher browser.

We use gopher to connect localhost port 70.

doas gopher gopher://127.0.0.1


At main page, we press "?" to read help. Then we notice this.

图片.png


After we press "$", we get a shell with root priviledge.

图片.png


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0