Hackmyvm: Pwned

Lets solve hackmyvm pwned machine.

Port scan to find open ports and running services.

nmap scan to find all open ports

Find services running on the ports

ftp,ssh and http server running on ports 21,22 and 80 respectively

Lets run gobuster to enumerate the directories and files on web server.

web server enumeration

The directory hidden_text seems interesting lets visit it using browser.

contents of secret.dic in hidden_text directory

I have created a file using above list and again used gobsuster to enumerate directories and files on web.

pwned.vuln found during directory enumeration

It shows below page when opened in browser.

I tried all the default username and passwords, but no luck. Then I check the source of the web page and it shows me something important.

source code of the page pwned.vuln

If you remembered during nmap, we saw port 21(FTP) was open, used these creds to login into ftp and found below files.

id_rsa and note.txt

Downloaded both the files and the contents of note.txt is

contents of note.txt

This provide us the potential username and we have id_rsa file. Used this info to ssh into the system as user ariana.

ssh into the machine with user ariana

I use sudo -l to see which command I can run on the box.

output of sudo -l

The O/P of command shows we can run a script “messenger.sh” with user selena without password.

contents of messenger.sh

As we can see, the i/p of the message is directly passed to the command and errors are redirect to /dev/null. Tried to inject bash command and got the shell as user selena.

shell as user selena

Lets python to get the better shell.

id and groups commands show that selena is the member of the docker group. When I check on gtfobins, it shows way to mount the /root file system on inside the container. I also use docker images command to check the images present on the system.

docker images

As per gtfobins, used the command docker run -v /:/mnt --rm -it alpine chroot /mnt sh

The above command run the image alpine.

The -v option mount the “/” of the host machine on “/mnt” of container .

— rm option means automatically remove the container when it exits.

• it option provides the interactive shell of the container.
• chroot is the linux command to change root file system to /mnt and sh is the shell.

As you can see, we are into the container and have interactive shell on the docker container.

interactive shell on the docker container

We can now able to access the mounted file system of the host machine.

I tried to change or add my own root user into the /etc/passwd file of the host but failed to do so to get the permanent access to the host machine but failed to do so. Please let me know how can I do that in the comments.

Hope you like this write-up.