NepCodeX

Byte Musings: Where Tech Meets Curiosity


Hundred – Writeup – HackMyVM – Walkthrough

walkthrough writeup hackmyvm security hundred

Hundred is an easy machine from HackMyVM. The author of the machine is SML and he created it to celebrate 100 machines on the platform. The machine is pretty easy but requires a few special techniques to get to the root. “Hundred – Writeup – HackMyVM – Walkthrough”

Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Hundred

Identify the target

Firstly, I identified the IP address of the target.

fping -aqg 10.0.0.0/24
image 178
The IP address of the target is 10.0.0.14

Scan open ports

Next, I scanned the open ports to know the exposed services on the target.

nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.14
image 179
Nmap scan results

From the nmap scan results, we see that ports 21, 22 and 80 are open. Furthermore, we have anonymous access to the FTP server. Likewise, there are files that look like private keys. So, I logged into the FTP server anonymously and downloaded all the files.

Anonymous access to FTP

I like to use lftp as a FTP client.

lftp -u anonymous, 10.0.0.14

# in client
mget *
image 180
The files on the FTP server

id_rsa is a fake private key and it just has a bunny on it.

image 181
The content of id_rsa

However, id _rsa.pem looks like a genuine private key.

image 182
The content of id_rsa.pem file

Similarly, on the users.txt file, we have some users from the HackMyVM platform. However, at the bottom of the file, there is a possible username as ‘hmv’.

image 183
The content of users.txt file

Anyway, the private key didn’t work for the user. So, I further looked at the webserver.

Enumerate the webserver

On the page source of the website, we see some information.

image 184
Page source of the website

The page as a whole informs us that there is a directory that we can get by using the key. Also, we might also get some information by doing steganography from the logo.jpg file. Back to the key, we can encode information by using an RSA private key using OpenSSL rsautl. Upon encoding the information we get a file that might be what we are seeing on the CSS style. Hence, I checked if the file exists or not.

wget http://10.0.0.14/h4ckb1tu5.enc
image 185
The encoded file is downloaded

I downloaded the file and performed the following command that uses the private key that I downloaded.

openssl rsautl -decrypt -inkey id_rsa.pem -in h4ckb1tu5.enc -out key
cat key
image 186
A path is encrypted using the private key
image 187
The path shows nothing

Here, we don’t see anything on the path and I performed the bruteforcing.

gobuster dir -r -u http://10.0.0.14/softyhackb4el7dshelldredd/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -o dir-softyhack.log
image 188
The paths on the newly found directory

Here, we have another file that looks like a private key.

wget http://10.0.0.14/softyhackb4el7dshelldredd/id_rsa -O id_rsa
chmod 600 id_rsa

However, when I tried logging in as the user hmv, it asked me for the passphrase. Therefore, I have to find it. As I said earlier, we have a logo.jpg file that we can perform steganography and file information from there. The rockyou.txt didn’t work, but the users.txt file had the passphrase.

wget http://10.0.0.14/logo.jpg
stegseek logo.jpg users.txt -xf output
cat output
image 189
The passphrase is extracted from the logo.jpg file
image 190
SSH shell of hmv

Root privilege escalation

The root privilege escalation is also easy in this machine. The /etc/shadow file is writable by everyone. Thus, I could update the file to get the password of the root.

image 191
The file permissions on the /etc/shadow file

Since we don’t have read access to the file, we have to overwrite it. Also, please check the following link to understand a shadow file.

https://www.cyberciti.biz/faq/understanding-etcshadow-file/

Thus, I updated the password to “root” as follows.

openssl passwd # enter new password "root"
echo root:ZY300BQ.Lbmo6:18844:0:99999:7::: > /etc/shadow
su -l
image 192
The root shell

Check my walkthrough of ICMP from Vulnhub.



5 1 vote
Article Rating
Subscribe
Notify of
guest
6 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments