NepCodeX

Byte Musings: Where Tech Meets Curiosity


Writeup of Pwned HackMyVM – Walkthrough

pwned walkthrough writeup hackmyvm security

I am currently doing both old and new machines from HackMyVM. Pwned is the second machine from the HackMyVM platform. In this post, I will try to explain everything in detail. Furthermore, this machine works on VirtualBox. “Writeup of Pwned HackMyVM – Walkthrough”

Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Pwned

Identify the target

Firstly, I had to identify the IP address of the target. This is basically the first step in every local VM.

sudo netdiscover -r 10.0.0.0/24
image 15
The IP address of the target is 10.0.0.18

Scan open ports

Next, I scanned the open ports to get the information on the exposed services on the network.

nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.18

image 16
Nmap scan results

From the nmap scan results, we know that the Linux distro is Debian. Similarly, there is an FTP, an SSH and an HTTP port open. Also, it didn’t list files of the FTP server. This means that we cannot access the server anonymously. Therefore, my next step would be checking the HTTP server.

Enumerate the HTTP server

The default page and its source weren’t much help. Therefore, I decided to bruteforce the paths.

ffuf -c -ic -r -u http://10.0.0.18/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html,.txt -of html -o dir.html

image 17
ffuf scan results

There is a path /nothing that has nothing in it. However, on the path “/hidden_text”, there is a wordlist.

image 18
Wordlist of paths

There is a wordlist of paths that I can bruteforce once again.

ffuf -c -ic -r -u http://10.0.0.18FUZZ -w secret.dic -of html -o dir-secret.html 

image 19
/pwned.vuln is a path in the target
image 20
Login form in /pwned.vuln

We see a login form on the target. However, there is an HTML comment in the source that gives us the credentials of the FTP user.

image 21
The source of the page contains the username and the password of the FTP server
lftp -u ftpuser 10.0.0.18
image 22
The FTP server

There is a directory that contains a note and a supposed private key. Thus, I downloaded these files to my local machine.

image 23

Then, I checked the note.txt file.

image 24
Note.txt content

From the note, I got a possible username as “ariana”. Then, using the private key, I logged in as the user.

chmod 600 id_rsa
ssh [email protected] -i id_rsa
image 25
SSH shell of ariana

User privilege escalation

Next, I checked the sudo permissions of the user ariana.

sudo -l
image 26
Sudo permissions of ariana

There is a script that the user can execute as the user selena. Let’s see the content of the script if it allows.

cat /home/messenger.sh
image 27
Content of messenger.sh

We can see that the input of the message, is directly called the command. Plus, the errors are redirected to /dev/null. Hence, I can use “bash” to get the bash shell. Then, I could spawn a tty shell.

sudo -u selena /home/messenger.sh
image 28
Got the shell of selena
python3 -c 'import pty;pty.spawn("/bin/bash")'
image 29
The proper shell of selena

We can see above that the user belongs to the group docker. Fortunately, this can escalate the privilege to root.

Reference: https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#docker-group

docker image list
docker run -it --rm -v /:/mnt alpine chroot /mnt bash
image 30
In the root shell of the container

Basically, what I did in the command is I opened an interactive terminal of “bash” on the image alpine. However, I also mounted the root file system of the host to the /mnt directory. Next, I changed the root to /mnt. Since the directory structure of the host and the container is the same, this gives us “effective” access to the container. As we can see the “root” user belongs to the container host “12cccac77f6c” and not the host “pwned”. But since we have mounted the file system and changed the root to /mnt, we will see the directory structure as that of the host machine. Also, the current root has full access to the container. So, we can execute the commands as the container’s root user. But, we will see effective changes in the host. If you try removing the text “chroot /mnt” from the command, you will see the file system of the container. Then, if you go inside /mnt, you will see the file system of the host.

Check my walkthrough of Driftingblues 7



5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments