Posts

Espo - HackMyVM

Image
Another interesting machine from cromiphi... Writeup abridged to remove the several hour pause before making any progress!!! Discovery: ┌──( kali㉿kali )-[ ~/hmv/espo ] └─ $ sudo netdiscover -r 10.0.0.0/24 -i eth1 -P _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.0.0.1 08:00:27:c5:8d:93 1 60 PCS Systemtechnik GmbH 10.0.0.161 08:00:27:4f:55:18 1 60 PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found. ┌──( kali㉿kali )-[ ~/hmv/espo ] └─ $ sudo nmap -sC -sV -O -p- -oN nmap.out 10.0.0.161 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-08 05:21 EST Nmap scan report for 10.0.0.161 Host is up (0.0016s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)

Zeug - HackMyVM

Image
  This was a really nice machine, if you like to be annoyed by trying to do the same thing many different ways until you eventually get somewhere... Thank you c4rta - looking forward to your next machine ;) Find it sudo netdiscover -r 10.0.0.0/24 -i eth1 -P  _____________________________________________________________________________    IP            At MAC Address     Count     Len  MAC Vendor / Hostname        -----------------------------------------------------------------------------  10.0.0.1        08:00:27:41:d0:fa      1      60  PCS Systemtechnik GmbH  10.0.0.123      08:00:27:fc:d6:0f      1      60  PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found. nmap -v -T4 -p- 10.0.0.123        Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-07 04:21 EST Initiating Ping Scan at 04:21 Scanning 10.0.0.123 [2 ports] Completed Ping Scan at 04:21, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 04:21 Completed Parallel DNS resolution of 1 host

Christmas.hmv

Image
Minimal writeup notes until I catch up... unable to get anywhere with thc-pptp-bruter, needed direction to use scripted attack AND clear down /etc/ppp/chap-secrets between attempts! pptp with username admin, password princesa enum tunneled IP 192.168.3.1 found port 8384 open and running syncthing apt-get install syncthing visit http://localhost:8384 and add remote device. publish folders on 193.168.3.1 to local kali box and then accept them (no idea what I am doing, but eventually got it to work!) some fun with syncthing.  - bypassed the intended root as the 2 way sync allows the home drive to me sync'd. As a 2 way sync then setting authorized_keys in the local copy pushes it to the target machine and allows ssh logon without going through the web service. User to root This post explains how it works. https://www.vidarholen.net/contents/blog/?p=716

HackMyVM Kitty

  Its a nightmare! 1. Find subdomain target.  2. exploit oracle padding attack on cookie to become admin and get logs  3. sqlmap 'logs' to get users and salt table to find gitea credentials  4. gitea holds a comment to find the fastAPI URL  5. find the number for some creds to get a token  6. Crack OAUTH token and forge a new one as admin with 'isadmin=1' . 7. find and send commands to get reverse shell  8. Explore to find 'user' name and sshkey  9. use 'user' and 'www-data' to escalate to 'power' with fastcgi socket  10. reverse engineer regex as power to get root

HackMyVM - System

Image
  System was not all that 'Easy' as there are a couple of places to get stuck! This is just a basic writeup and I have excluded anything unrequired. It will cover user and root flags so you can work out how to get a root shell for yourself. Find it ┌──(kali㉿kali)-[~/system] └─$ sudo netdiscover -r 10.0.0.0/24 -P| tee findit [sudo] password for kali:   _____________________________________________________________________________    IP            At MAC Address     Count     Len  MAC Vendor / Hostname        -----------------------------------------------------------------------------  10.0.0.1        08:00:27:cb:bf:ce      1      60  PCS Systemtechnik GmbH  10.0.0.65       08:00:27:8a:4b:22      1      60  PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found.   Scan it   # Nmap 7.91 scan initiated Wed Apr  6 04:28:39 2022 as: nmap -T4 -p- -sC -sV -oN nmap.log 10.0.0.65 Nmap scan report for 10.0.0.65 Host is up (0.00038s latency). Not shown: 65533 closed ports PORT   ST

HackMyVM Aqua

Image
Aqua by H1dr0 is classed as a medium difficulty machine buy the author.... but there are quite a few steps you need to take to get the initial foothold. Unnecessary steps and rabbit holes have been left out and this has been arranged into order afterwards as it was not as so obvious at the time! Find it ┌──( kali㉿kali )-[ ~/aqua ] └─ $ sudo netdiscover -r 10.0.0.0/24 -P | tee findit [sudo] password for kali:     _____________________________________________________________________________    IP             At MAC Address     Count     Len   MAC Vendor / Hostname         -----------------------------------------------------------------------------   10.0.0.1         08:00:27:4d:be:20       1       60   PCS Systemtechnik GmbH   10.0.0.53       08:00:27:8b:53:11       1       60   PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found.                                                                                  Enumerate it Lots and lots of enumeration!