I am currently doing both old and new machines from HackMyVM. Pwned is the second machine from the HackMyVM platform. In this post, I will try to explain everything in detail. Furthermore, this machine works on VirtualBox. “Writeup of Pwned HackMyVM – Walkthrough”
Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Pwned
Identify the target
Firstly, I had to identify the IP address of the target. This is basically the first step in every local VM.
sudo netdiscover -r 10.0.0.0/24
Scan open ports
Next, I scanned the open ports to get the information on the exposed services on the network.
nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.18
From the nmap scan results, we know that the Linux distro is Debian. Similarly, there is an FTP, an SSH and an HTTP port open. Also, it didn’t list files of the FTP server. This means that we cannot access the server anonymously. Therefore, my next step would be checking the HTTP server.
Enumerate the HTTP server
The default page and its source weren’t much help. Therefore, I decided to bruteforce the paths.
ffuf -c -ic -r -u http://10.0.0.18/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html,.txt -of html -o dir.html
There is a path /nothing that has nothing in it. However, on the path “/hidden_text”, there is a wordlist.
There is a wordlist of paths that I can bruteforce once again.
ffuf -c -ic -r -u http://10.0.0.18FUZZ -w secret.dic -of html -o dir-secret.html
We see a login form on the target. However, there is an HTML comment in the source that gives us the credentials of the FTP user.
lftp -u ftpuser 10.0.0.18
There is a directory that contains a note and a supposed private key. Thus, I downloaded these files to my local machine.
Then, I checked the note.txt file.
From the note, I got a possible username as “ariana”. Then, using the private key, I logged in as the user.
chmod 600 id_rsa ssh email@example.com -i id_rsa
User privilege escalation
Next, I checked the sudo permissions of the user ariana.
There is a script that the user can execute as the user selena. Let’s see the content of the script if it allows.
We can see that the input of the message, is directly called the command. Plus, the errors are redirected to /dev/null. Hence, I can use “bash” to get the bash shell. Then, I could spawn a tty shell.
sudo -u selena /home/messenger.sh
python3 -c 'import pty;pty.spawn("/bin/bash")'
We can see above that the user belongs to the group docker. Fortunately, this can escalate the privilege to root.
docker image list docker run -it --rm -v /:/mnt alpine chroot /mnt bash
Basically, what I did in the command is I opened an interactive terminal of “bash” on the image alpine. However, I also mounted the root file system of the host to the /mnt directory. Next, I changed the root to /mnt. Since the directory structure of the host and the container is the same, this gives us “effective” access to the container. As we can see the “root” user belongs to the container host “12cccac77f6c” and not the host “pwned”. But since we have mounted the file system and changed the root to /mnt, we will see the directory structure as that of the host machine. Also, the current root has full access to the container. So, we can execute the commands as the container’s root user. But, we will see effective changes in the host. If you try removing the text “chroot /mnt” from the command, you will see the file system of the container. Then, if you go inside /mnt, you will see the file system of the host.