Hackmyvm: BaseMe Write-up

Vishal
3 min readNov 28, 2022

--

Lets solve the BaseMe machine from hackmyvm.

Lets start from nmap scanning.

Port 22 and 80 are open.

To enumerate the web I used gobuester, but it only shows index.html.

gobuster showing index.html

I visited the website in the browser and in page source I got something.

Page source showing hidden information

The very first line is the base64 encoded, which when decoded shows.

base64 decoded string

ALL, absolutely ALL that you need is in BASE64.
Including the password that you need :)
Remember, BASE64 has the answer to all your questions.
-lucas

So this means that whatever we are going to enumerate, we need to encode and decode it to base64 and then try that.

Lets start with running gibuster again, but this time using a base64 encoded word-list. I tried couple of lists from Seclists and common.txt worked for me.

while read line;do echo $line | base64 >> common_b64_list;done < /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

gobuster showing enumerated directories

I visited the first one in the browser and it downloaded the file.

downloaded file

Its look like base64 encoded, lets decode it back.It is SSH private key.

We also have potential username “lucas”. Port 22 is open lets try this.

When I tried to login, it says password required, I changed the permission and tried again but now it shows passphrase required.

If you remember, we have a list of word with us which we got from html page source. I tried those but I failed to get access. Then I encoded those to base64 and one of these worked for me.

ssh into the system as Lucas

For privilege escalation, I checked the suid files but no luck with that. Then I use sudo -l command to list sudo command/s that user lucas can run on system and it gives me:

sudo -l output

Lets try to read the id_rsa file of root user and will use that to do ssh on localhost as root user.

root’s id_rsa file
able to ssh as root

--

--