HackMyVm : Ephemeral3
HackMyVm : Ephemeral-3
OS: Ubuntu
Web-Technology:
IP: 192.168.1.34
IP: 192.168.1.34
USERS:
→ randy
→ henry
→ mrw/root
=========================================================================
Flags:
→ user.txt : REDUCTED
→ root.txt : REDUCTED
=========================================================================
NMAP RESULTS:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f0:f2:b8:e0:da:41:9b:96:3b:b6:2b:98:95:4c:67:60 (RSA)
| 256 a8:cd:e7:a7:0e:ce:62:86:35:96:02:43:9e:3e:9a:80 (ECDSA)
|_ 256 14:a7:57:a9:09:1a:7e:7e:ce:1e:91:f3:b1:1d:1b:fd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
=========================================================================
Web Services Enumeration:
[ + Gobuster]:
→ /agency
→ /note.txt
DIRECTORY: /agency
→ Got the user “randy” from agency homepage:
⇒
DIRECTORY: /note.txt
→ Got the message in note.txt
⇒
Exploitation:
→ Searched for openssl exploit on google
→ Reference : https://www.exploit-db.com/exploits/5720
→ Downloaded the required repo for exploit. Download Link
→ Lets run the exploit
→ Found the key for user randy
⇒
SSH: randy
→ ssh -lrandy -p22 -i /home/kali/Desktop/ephemeral/rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.1.34
→ Got the user randy
⇒
Enumeration: randy
→ sudo -l
⇒
⇒ SUID : /usr/bin/curl
→ Getting user henry
⇒ Created the ssh key
⇒
⇒ Inserted that ssh key into the target machine using SUID: /usr/bin/curl
⇒
SSH: henry
→ Logged in using the ssh key which I created.
⇒
→ Reading user.txt
⇒
=========================================================================
PRIV-ESC:
→ In normal enumeration, I can able to read the /etc/passwd but unable to edit it.
→ So, created a copy of /etc/passwd in host machine and created a custom user “mrw" and created sha-512 password (password : pass) using mkpasswd command.
⇒
⇒ User inserted.
⇒
→ randy
→ henry
→ mrw/root
=========================================================================
Flags:
→ user.txt : REDUCTED
→ root.txt : REDUCTED
=========================================================================
NMAP RESULTS:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f0:f2:b8:e0:da:41:9b:96:3b:b6:2b:98:95:4c:67:60 (RSA)
| 256 a8:cd:e7:a7:0e:ce:62:86:35:96:02:43:9e:3e:9a:80 (ECDSA)
|_ 256 14:a7:57:a9:09:1a:7e:7e:ce:1e:91:f3:b1:1d:1b:fd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
=========================================================================
Web Services Enumeration:
[ + Gobuster]:
→ /agency
→ /note.txt
DIRECTORY: /agency
→ Got the user “randy” from agency homepage:
⇒
DIRECTORY: /note.txt
→ Got the message in note.txt
⇒
Exploitation:
→ Searched for openssl exploit on google
→ Reference : https://www.exploit-db.com/exploits/5720
→ Downloaded the required repo for exploit. Download Link
→ Lets run the exploit
→ Found the key for user randy
⇒
SSH: randy
→ ssh -lrandy -p22 -i /home/kali/Desktop/ephemeral/rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.1.34
→ Got the user randy
⇒
Enumeration: randy
→ sudo -l
⇒
⇒ SUID : /usr/bin/curl
→ Getting user henry
⇒ Created the ssh key
⇒
⇒ Inserted that ssh key into the target machine using SUID: /usr/bin/curl
⇒
SSH: henry
→ Logged in using the ssh key which I created.
⇒
→ Reading user.txt
⇒
=========================================================================
PRIV-ESC:
→ In normal enumeration, I can able to read the /etc/passwd but unable to edit it.
→ So, created a copy of /etc/passwd in host machine and created a custom user “mrw" and created sha-512 password (password : pass) using mkpasswd command.
⇒
⇒ User inserted.
⇒
→ Inserted that edited passwd file into target using curl
⇒
→ Switched to user mrw
⇒
⇒ Got the root.
→ Reading root.txt
⇒
Comments
Post a Comment