# HackMyVM-Attack ## NMAP ``` Nmap scan report for 192.168.1.144 Host is up (0.000080s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: n | 2048 f4:8d:08:b4:99:d2:0c:5d:75:b8:22:83:7b:c2:88:15 (RSA) | 256 e2:16:0a:e7:38:4a:ec:76:cf:d3:56:78:07:fd:2f:25 (ECDSA) |_ 256 0b:5a:9c:71:cc:3b:50:04:46:18:ad:67:8a:df:d0:d6 (ED25519) 80/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Site doesn't have a title (text/html). MAC Address: 08:00:27:A4:8E:56 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.94 seconds ``` ## PORT 80 ## Wireshark Following the FTP data request the changing the stream we may see this request We get an id_rsa key file but we don not know the username so we can't actually use it without a vaid username so let's look for it. Going back to the ftp login on the top we can see the username and password Note says ``` I need to find the file! ``` So this is referring to the id_rsa file we found we actually went a step ahead : ) Using the username `teste` and id_rsa key let's login with ssh In `jackob`'s directory we can see that there is a note But we don't have permissions to execute and there was nothing else we could do as `teste`. So going back to the pcap file I tried to export objects as HTTP and found an archive with the same name We can see there is a difference between those two archive one we got from FTP other by exporting objects as HTTP This is the image we get Now I though this was braille so I tried different sites to convert braille image to text , used different python scripts for reading braille looked at the table for it but I couldn't figure out the pattern then I uploaded this file to a barcode reader convert and it gave me a url And we got `jackob`'s id_rsa key We can run `attack.sh` as user `kratos` So either delete or change the name of `attack.sh` and make your own attack.sh file Put `/bin/bash` in the attack.sh file Check for `sudo -l` that what we can run as root or other user What `cppw` does is it will overwrite the `/etc/passwd` file so create file in the format having a username,password hash,user_id,group_id and the home directory. I copied my root user password hash and saved it in a text file then executed the cppw binary so it saved this in the /etc/passwd and it got overwritten. Knowing my root password I successfully logged in as root without the root on that machine !!.