Writeup of Gift from HackMyVM - Walkthrough

Gift from HackMyVM is the simplest machine from HackMyVM. This already has an official write-up from the author. However, I am going to use different tools to do the same job. Also, I will be resetting the machine to the original snapshot to compare the speed of the bruteforcing. But, I will not take into account the performance change of my machine. Still, I would be repeating the whole experiment 3 times. For example, Ncrack >> hydra >> Ncrack >> hydra, etc.

Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Gift

Identify the target

Firstly, we have to identify the IP address of the target. I use fping because it doesn’t require sudo permission. However, I also use netdiscover to listen indefinitely.

Method #1: Fping

fping -aqg 10.0.0.0/24

Method #2: Netdiscover

sudo netdiscover -r 10.0.0.0/24

Netdiscover shows the IP address as 10.0.0.16

Method #3: Nmap

nmap -sn 10.0.0.0/24

Like this, we can use many tools to identify a live host on the network.

Scan open ports

Next, I scanned open ports using nmap. Furthermore, it’s always better to store results in a file for future reference.

sudo nmap -v -T4 -p- -A -oN nmap.log 10.0.0.16

Nmap result shows ports 22 and ports 80 open

Check the webpage

On the homepage, we see a page suggesting not to overthink and the challenge is simple. This gives us an idea to perform password bruteforcing for the user root.

Default page suggests password bruteforcing

Bruteforce the password online

Now, we can use various tools to do the bruteforcing online. I will start with hydra. Let’s see what happens.

Hydra

hydra -l root -P /home/kali/rockyou.txt 10.0.0.16 ssh

This took about 2 minutes and 19 seconds to crack the password.

Medusa

Then, I tried with medusa.

medusa -h 10.0.0.16 -u root -P /home/kali/rockyou.txt -M ssh -v 4

Surprisingly, medusa completed the same bruteforcing attack in 23 seconds.

Ncrack

Next, I chose Ncrack as I had heard a lot about this.

ncrack -v -f --user root -P /home/kali/rockyou.txt 10.0.0.16:22

Undoubtedly, ncrack was successful in showing the result in 13 seconds. I think this is the fastest a bruteforcing attack can go.

Patator

Similarly, there is another tool called “patator” that is also fast in speed.

patator ssh_login user=root password=FILE0 0=/home/kali/rockyou.txt host=10.0.0.16 -x ignore:code=1

Here, patator also cracked the password in 19 seconds.

Then, I repeated these commands two times. The ultimate result looks as follows.

Hydra	2:19	2:19	2:20
Medusa	0:23	0:22	0:23
Ncrack	0:13	0:13	0:17
Patator	0:19	0:20	0:19

Execution time

From the table above, we see that Ncrack is the fastest and hydra is the slowest in the default settings.

Log into the server

Finally, we can log into the SSH server to get to the root. And, on the /root path, we will find the user and the root flags.

ssh root@10.0.0.16

Check my walkthrough of Hacksudo Search

Hi! Sorry for the late reply. To achieve LFI and RCE, the vulnerability must present in the server-side script (i.e.…

Hello! I wanted to explore the 'opus-details.php', so started with .php?id=<script>alert("test")</script> and got a pop up. Wanted to leverage this,…

You need to make it executable as chmod +x pspy64

i am getting -bash: ./pspy64: Permission denied. what am I suppose to do

I simply copy the public key from my .ssh/ directory to authorized_keys. In this post, I created a file in…