HackMyVm : Away
HackMyVm : Away
OS: Debian
Web-Technology:
IP: 192.168.1.39
USERS:
→ lula → passphrase : Theclockisticking
=========================================================================
NMAP RESULTS:
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 f1:87:03:41:21:12:ef:80:3c:8f:07:2f:8b:3c:6e:2a (RSA)
| 256 5f:f9:ca:19:0d:74:65:2c:97:4a:36:a4:04:7c:9b:bd (ECDSA)
|_ 256 39:a4:b3:38:94:c5:d2:77:07:a1:dd:b4:2f:0a:5a:44 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
=========================================================================
Web Services Enumeration:
→ Visited http://192.168.1.39
⇒
⇒ “tula” can be a ssh user.
⇒ Machine must be using id_ED25519
⇒ Lets try to visit http://192.168.1.39/id_ed25519
⇒ Luckily, got the id_ed25519
⇒
⇒ Downloaded the file
⇒ Also downloade the id_ed25519.pub file
⇒
⇒ Lets check both the keys.
⇒ In the public key I found the passphrase
⇒
⇒ passphrase : Theclockisticking
⇒ Lets do ssh on user tula
⇒ Got the use tula
⇒
⇒ Reading user.txt
⇒
Enumeration : tula
→ sudo -l
⇒
⇒ SUID : /usr/bin/webhook as lula
→ normal google search - https://github.com/adnanh/webhook
⇒ from this I create hooks.json file in target machine /tmp
⇒
⇒ As well as created the rev.sh which containing the netcat reverse shell.
⇒
⇒ Now, lets run the webhook as user lula and opened netcat listener on port 9001
⇒
⇒ now, let curl that url
⇒
⇒ Got the use lula.
Enumeration : lula
→ In manual enumeration I found nothing on the box.
=========================================================================
PRIV-ESC:
→ Run linpeas.sh on box
→ Found /usr/bin/more as group writeable file
⇒
⇒ Lets try to read ssh key of root
⇒ Assuming that the root also using the same ssh key generation as the use tula id_ed25519
⇒
⇒ Found the key
⇒ Lets save the key on the box and try to get root
⇒
⇒ Reading root.txt
⇒
=========================================================================
NMAP RESULTS:
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 f1:87:03:41:21:12:ef:80:3c:8f:07:2f:8b:3c:6e:2a (RSA)
| 256 5f:f9:ca:19:0d:74:65:2c:97:4a:36:a4:04:7c:9b:bd (ECDSA)
|_ 256 39:a4:b3:38:94:c5:d2:77:07:a1:dd:b4:2f:0a:5a:44 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
=========================================================================
Web Services Enumeration:
→ Visited http://192.168.1.39
⇒
⇒ “tula” can be a ssh user.
⇒ Machine must be using id_ED25519
⇒ Lets try to visit http://192.168.1.39/id_ed25519
⇒ Luckily, got the id_ed25519
⇒
⇒ Downloaded the file
⇒ Also downloade the id_ed25519.pub file
⇒
⇒ Lets check both the keys.
⇒ In the public key I found the passphrase
⇒
⇒ passphrase : Theclockisticking
⇒ Lets do ssh on user tula
⇒ Got the use tula
⇒
⇒ Reading user.txt
⇒
Enumeration : tula
→ sudo -l
⇒
⇒ SUID : /usr/bin/webhook as lula
→ normal google search - https://github.com/adnanh/webhook
⇒ from this I create hooks.json file in target machine /tmp
⇒
⇒ As well as created the rev.sh which containing the netcat reverse shell.
⇒
⇒ Now, lets run the webhook as user lula and opened netcat listener on port 9001
⇒
⇒ now, let curl that url
⇒
⇒ Got the use lula.
Enumeration : lula
→ In manual enumeration I found nothing on the box.
=========================================================================
PRIV-ESC:
→ Run linpeas.sh on box
→ Found /usr/bin/more as group writeable file
⇒
⇒ Lets try to read ssh key of root
⇒ Assuming that the root also using the same ssh key generation as the use tula id_ed25519
⇒
⇒ Found the key
⇒ Lets save the key on the box and try to get root
⇒
⇒ Reading root.txt
⇒
Comments
Post a Comment