Hundred is an easy machine from HackMyVM. The author of the machine is SML and he created it to celebrate 100 machines on the platform. The machine is pretty easy but requires a few special techniques to get to the root. “Hundred – Writeup – HackMyVM – Walkthrough”
Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Hundred
Identify the target
Firstly, I identified the IP address of the target.
fping -aqg 10.0.0.0/24
Scan open ports
Next, I scanned the open ports to know the exposed services on the target.
nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.14
From the nmap scan results, we see that ports 21, 22 and 80 are open. Furthermore, we have anonymous access to the FTP server. Likewise, there are files that look like private keys. So, I logged into the FTP server anonymously and downloaded all the files.
Anonymous access to FTP
I like to use lftp as a FTP client.
lftp -u anonymous, 10.0.0.14
# in client
mget *
id_rsa is a fake private key and it just has a bunny on it.
However, id _rsa.pem looks like a genuine private key.
Similarly, on the users.txt file, we have some users from the HackMyVM platform. However, at the bottom of the file, there is a possible username as ‘hmv’.
Anyway, the private key didn’t work for the user. So, I further looked at the webserver.
Enumerate the webserver
On the page source of the website, we see some information.
The page as a whole informs us that there is a directory that we can get by using the key. Also, we might also get some information by doing steganography from the logo.jpg file. Back to the key, we can encode information by using an RSA private key using OpenSSL rsautl. Upon encoding the information we get a file that might be what we are seeing on the CSS style. Hence, I checked if the file exists or not.
wget http://10.0.0.14/h4ckb1tu5.enc
I downloaded the file and performed the following command that uses the private key that I downloaded.
openssl rsautl -decrypt -inkey id_rsa.pem -in h4ckb1tu5.enc -out key
cat key
Here, we don’t see anything on the path and I performed the bruteforcing.
gobuster dir -r -u http://10.0.0.14/softyhackb4el7dshelldredd/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -o dir-softyhack.log
Here, we have another file that looks like a private key.
wget http://10.0.0.14/softyhackb4el7dshelldredd/id_rsa -O id_rsa
chmod 600 id_rsa
However, when I tried logging in as the user hmv, it asked me for the passphrase. Therefore, I have to find it. As I said earlier, we have a logo.jpg file that we can perform steganography and file information from there. The rockyou.txt didn’t work, but the users.txt file had the passphrase.
wget http://10.0.0.14/logo.jpg
stegseek logo.jpg users.txt -xf output
cat output
Root privilege escalation
The root privilege escalation is also easy in this machine. The /etc/shadow file is writable by everyone. Thus, I could update the file to get the password of the root.
Since we don’t have read access to the file, we have to overwrite it. Also, please check the following link to understand a shadow file.
https://www.cyberciti.biz/faq/understanding-etcshadow-file/
Thus, I updated the password to “root” as follows.
openssl passwd # enter new password "root"
echo root:ZY300BQ.Lbmo6:18844:0:99999:7::: > /etc/shadow
su -l