The HackMyVM Keys Walkthrough

This is the HackMyVM Keys Walkthrough.

Web Enumeration

The webserver is hiding interesting files, it took a few different lists from seclists to find something good. What we do find is a file readme.php and that means we can investigate further.

gobuster dir -r -u http://10.0.50.79/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -x php

The first page we run into says to READ the page, so I inspect the page source code and find some base64. The decode to see a hidden directory my_personal_wordlist.txt. We will end up decoding several things in this walkthrough. Putting that string in the browser we find a wordlist, this is definitely meant to be useful for brute-forcing.

Fuzzing PHP Parameters

What does that mean? Fuzzing PHP parameters is a difficult task, but one that you need to learn to become an ethical hacker. It will probably come in handy in taking the OSCP exam too, who knows. Take a quick look another tutorial for PHP param fuzzing. This will give you some more practice. That was a great box and I recommend it.

With wfuzz I use –hh BBB to filter so that we don’t get the annoying message for each page. Filters like these can be built against a reference HTTP response, called the “baseline”. What is the baseline input in wfuzz? They are {baseline input} whatever is included in those brackets. For example, the previous command for filtering “not found” resources using the –hh switch could have be done with the following command: wfuzz -c -z file,pw –hh BBB http://10.0.50.79/readme.php?FUZZ{stfu}=../../../../../etc/passwd

Kind of the main reason, if not one of them, for PHP param fuzzing, is looking for LFI (Local File Inclusion) vulnerabilities. Most of the time in fact if you run into an oddly-named php file such as readme.php in this case, then the intended vulnerability is based on LFI or RFI.

Let’s include this logic into the fuzzing and look for valid params that confirm LFI. We find one and use it to dump the list of usernames in the remote /etc/passwd file. Success!

There is another way to take this and that is to check the code of the readme.php file, but we can only do that through a PHP filter wrapper. We find yet another base64 string, which we can quickly decode.

http://10.0.50.79/readme.php?34sy=php://filter/convert.base64-encode/resource=readme.php

We have a hint about Z85, a kind of encoding. Decoding the string leads us to a new endpoint on the webserver. We have a new hint about there being a zip file as well. So we download both of these and check them since there are thousands of them, what??

A simple script in Bash checks each file for differences and there is one, but it is just a note. However, it means we can find the key by that 4695 number in the id_rsa zip file. Did I mention you need to download that zip file?

Now we connect to the target using the RSA SSH key.

cp id_rsa/2048/private/*-4695 .

ssh stephen@target -i id_rsa_File

Privilege Escalation

As far as Linux privilege escalation goes, this was a very unique vulnerability. We find a GPG private key and another interesting file in the immediate directory when we log in as stephen. I use John on the file and crack it to reveal the catchphrase. You will need this for the next steps!

cat /var/mail/private_key.gpg 
                               
gpg2john privkey > crackme
john --w=/usr/share/wordlists/rockyou.txt crackme

The final steps are to import the key and decode the encrypted message. This will show the root password and the next step is trivial to login.

And it’s rooted.